I have to say, I’ve surprised myself by feeling the need to write about the scary abbreviation of ‘GDPR’ in The Chamber’s blog. As many of you know, we have recently held a business breakfast on the very topics of Data Protection and Cyber Security. Organising this event required me to do some basic reading about the subject to try and grasp what is going to happen in May 2018 and why business professionals in the know are stressing that we all learn about it.
I think that initially I assumed that it probably wouldn’t affect me. That we would get some direction on how to handle this from our parent Chambers or perhaps our board of directors would take control. Then I realised it’s a far more ‘in house’ policy that needs to be adapted. But that’s ok, we have the support of MJD systems on the other end of the phone who are experts in GDPR and Cyber Security. But would that be enough?
Of course IT providers like MJD systems can offer assistance, but there’s lots of work and compliance activities that we all need to do before we can outsource our process management and data handling. I am certainly no expert on this, and have taken what I can from our business breakfast, but my best advice is to seek help and guidance with sorting out your data protection compliance before the deadline of May 2018.
So, I thought I’d tell you about the things that stood out to me the most when learning about GDPR –
- If you use an external provider to send emails out or to hold any information e.g. cloud systems or email marketing services, you must know where they hold your data. Not every country in the world is allowed to hold your companies data base, and that includes the USA, so you need to check this out.
- The legislation has actually been in place since May 2016, and yet people still haven’t done anything about it. I assumed that many of our providers would have been in contact regarding compliance issues far sooner, but it seems that there will be a mad rush for everyone to get on board
- Any information identifying a client must be kept protected, that includes on your personal phone. If your work emails are on your personal phone then a) the app must be password protected, and b) your phone must have malware protection on it c) no one else can have access to that personal device
- People will now have to actively ‘opt in’ to you using their information and know exactly what you are doing with it. Not that in the Chamber we don’t already do this, but the laws around using and sharing peoples data will tighten
- Where is all the information that you hold? Paper work, accounts, online information etc. And is it up to date? You must be in charge of the data that you hold being correct i.e. has your client got married and changed name or address? Knowing that is your responsibility
- The fine for non-compliance after May 2018 is 20 million Euros, or 4% of your annual turnover, whichever is greater
My concerns could go on and on, but what’s most important to me is that we start to plan and get everything in line before it’s too late. Being a membership organisation we have to look closely at our processes and make sure that all of our members are aware and happy with any way that we may use their data.
Within our members there are experts in protecting you against breaches, and experts in insuring you for the future. Please get in contact with MJD Systems, Ledingham Chalmers or Clark Thomson for further advice. Also don’t forget your HR & Legal cover that’s included in your membership should you need some impartial guidance.
See you all soon