My goodness there’s a lot of folk out there just beginning to panic a bit!
Not without good reason, you might think? The proposed financial punishments set to be meted out by the ICO make for sobering reading indeed, but for what it’s worth my advice would be to keep calm and carry on.
Reading between the many lines of the new regulations, and having consulted with far wiser souls than myself, the very clear message I’m getting is that you, we, and all exploiters of personal data, need to have a plan of action regarding GDPR and be firmly on the road to compliance, if not complete compliance itself.
I say this not least because 100% compliance can only rarely be achieved – there will always be more that we can do to protect the personal data we hold, and from here on we are obligated to foster a culture of disclosure and consent.
In the meantime – if you’ve not yet started to become compliant – there’s plenty you can do to move this along.
Those of us in the thick of this talk of “data audits” and “processing agreements” and the like – it all sounds terribly complicated and quite beyond the wit of many who are just trying to run and market a business. But the truth of it is that the advent of GDPR affords us the opportunity to simply respect people’s privacy and to think very carefully about how we communicate with those who’ve entrusted their personal details to us.
So… make a start; get on that road to compliance - you’ll be actioning Best Practice that I promise will render your business better organised, more able to react to data breaches or hacks, and better able to communicate with your clients and associates in ways that are welcomed and fruitful.
Let’s at least get started on the basics:
- Review where you store and manage your data… this can be anything from a piece of paper to a fully featured enterprise level CRM - any anything in between. Just have a good think about how secure that data is;
- Can it be accessed by anyone other than an appropriately authorised person?
- If it’s on a website how much personal data is public-facing and are regular security updates carried out on the site's CMS?
- Do you have “legitimate cause” to keep this data for business purposes (accounting, CRM, compliance)?
- Do you have legitimate cause to keep this data for marketing purposes?
If you can produce reasonably solid answers to the above questions then you’re already well on the way to compliance.
Another reason not to panic is simply that so much of the new regulations has yet to be properly defined and resolved in case law and precedent; there is far too little agreement on the nuances and subtleties of a number of aspects of the dictum that will require interpretation in court before it can be applied meaningfully by those of us in the real world.
I don’t suggest for one second that the new regulations should not be taken seriously - they absolutely should - but I do suggest that getting compliance right is better than rushing the process and getting things wrong.
So, GDPR is upon us but please, in the immortal words of the great Douglas Adams, “Don’t Panic”…
NOTE that 3B Digital Ltd is a technical delivery house; we are not lawyers and our advice and guidance - especially in matters relating to data security and the like should be subject to legal review and approval.