GDPR

By Petra Clayton

This month Custard Communications attended the Meetings Industry Association (mia) Business Breakfast event to hear events marketer Hellen Beveridge discuss what the General Data Protection Regulation (GDPR) will mean for business owners, ahead of its enforcement date on 25th May 2018.

Over 60 delegates travelled from around the UK to Bush House, King’s College London, to find out what the new legislation will have in store for collecting and storing data and whether appointing a Data Protection Officer (DPO) is necessary to avoid possible fines.

Hellen Beveridge admitted she has been living and breathing GDPR legislation, to help better prepare businesses for what is to come. The UK is seen to be behind when it comes to the transition over to the new legislation, with some businesses still unaware that they must be fully compliant by May 2018, or risk facing fines up to EUR 20 Million or 4% global annual turnover.

The current Data Protection Act (DPA) has long been outdated, having been enforced in 1998 before the rise of the digital age and the popularity of social media. This necessary move will ensure that the privacy of individuals is better respected and a new level of trust is built.

Hellen explained that smaller businesses should be aware that no one is exempt from the risk of security breaches, especially if you’re sharing information that isn’t encrypted, storing work data on personal devices or destroying data incorrectly.

She also discussed the possibility of being targeted by hackers. It’s a problem for all sized businesses due to what is referred to as a ‘honeypot’ of information, where hackers will gather small pieces of information from lots of sources (known as ‘harvesting data’), such as names, addresses, bank details to then sell this information on.

Hellen advised that all business owners should conduct a full data audit and destroy any information that will not be compliant, ahead of the enforcement date, outlining that “data is very difficult to destroy, but the legislation says that you need to make a reasonable effort in proportion to risk and sensitivity of the data you are handling.” Hellen explained that those with low risk portable data, paperwork for example, can be physically shredded if that paper is then disposed of correctly. The same applies to digital files, where they can be deleted from your computer but that the rubbish bin also needs to be emptied, to ensure the files cannot be recovered.

For those looking for a simpler way to store their data, a SQL database might be beneficial. Hellen recommended that this is the easiest way to store and remove data because the backups eventually get overwritten.  She explained that it is ‘important to remember that some people never want to hear from you again, so it is important to maintain a global suppression list to ensure that their information doesn’t end up on your database again.’

Hellen went on to discuss that there is the option to appoint a DPO but that this isn’t necessary unless you are either a public authority, or one that deals with the collection and processing of sensitive information, such as criminal convictions and offences. She did mention however, it would be a good idea to appoint someone within your company who can attend a course to learn more, as this is a living document and will be important to stay current on what any future changes will mean for businesses.

The key message Hellen delivered to delegates was to start ‘thinking of data as people’, to change the perception and attitudes around collecting, storing and deleting data, as the reputation of the business owners is now on the line.

Custards Top Tips on GDPR legislation

  1. If you haven’t already, conduct a full data audit using the Privacy Impact Assessment form, which can be found here; https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
  2. Determine your Data Lifecycle. Before collecting any further information, decide what information you need, how long do you need to keep it, what you will ultimately use it for- are you a controller (collecting data) or a processor (processing information) and when or how you plan to destroy the information when it is no longer needed.
  3. Send Securely! Ensure that all data containing any personal data that is sent to others within the business via email is encrypted, and that the password is sent separately via mobile phone.
  4. To DPO or not to DPO? There is no need to employ a Data Protection Officer unless you are a public authority, carry out large scale systematic monitoring of individuals or one who processes special categories of data relating to criminal convictions or offences. You can however, choose to appoint someone within your business who can learn about GDPR to help stay current with this ‘living document’, so that you remain within the privacy laws.
  5. Small but Mighty. Hackers love small organisations because they are more relaxed when It comes to security, and therefore information is easier to obtain and then sell on. This process is called ‘harvesting data’ and everyone is at risk. Ensure that employees used encrypted phones to protect data in case they are lost or stolen and ask suppliers that have used any of your data to destroy it fully.

For more information regarding GDPR, visit https://ico.org.uk/