15 December 2017

GDPR or Getting Data Protection Ready

carol-tullo

Christmas Day will mark the 6 month point before the new data protection regime is operational from May 25, 2018. This offered a seasonal hook for my personal reflections on data protection preparedness across a number of organisations that I have worked with and advised this year.

There are lots of countdown clocks and collected checklists available online. It can be scary. Ultimately though, data hygiene and preparation for the changes comes down to planning and confidence. If you are responsible for data that drives your business, organisation, school or university then the loss or compromise of that data will drive a loss of confidence and, worse, loss of reputation. Working across government, I saw departments developing robust information assurance systems and security capacity. Government, like most institutions, is good at putting in place technical controls to manage information risk. The weakest part of any system will be the people that use it. Reinforcing the message that safe and secure handling of personal data is everyone’s responsibility from the senior through every level of your organisation continues to be a significant piece of learning for many. Training offers and workshops focus on giving people confidence in identifying the risks and how to deal with them in simple stages and practical steps.

Nothing new here then? If your organisation has been DP compliant and aware to date then you are well on the way to being GDPR compliant. The aim is to build on the existing personal data handling but adapt it to our changing digital world. The current Data Protection Bill places this firmly in the digital space.

A few months ago, I first heard the expression that GDPR is simply Data Protection on steroids! It is a direct way of saying it is more of the same and stronger, better, faster… to coin a phrase. I have seen awareness taken very seriously. Holding a data awareness month in the office, regular blog posts on intranets, internal newsletters and posters in the lifts, glossaries of terms, staff briefings and training – just a few of the many initiatives. Equally, I have been surprised at the lack of knowledge – still – about the need to strengthen data controls and housekeeping. I know that in leading or attending external training events and conferences, that also reinforces messages internally and drives home personal understanding of how we expect our personal data to be managed and held. The need for unambiguous consent and the recording of consent means that standard alerts on websites and opt out consent to cookies will no longer be fit for purpose. If services are offered to children, then age verification and parental consent measures need to be thought about. I have also heard comments that the threat of the Millennium Bug [ remember 31 January 1999] was a damp squib and that GDPR will be the same. GDPR delivers a safer data environment and is a wakeup call for those that have been lax in the past.

My first starting point would be to look at your privacy policy or statement. Don’t have one? Then get help and advice to draft one that clearly explains what you capture or hold, for what purposes, for how long and your security measures. Then think about how consent can be withdrawn or requests for the data held supplied. Much is common sense. If you do have one, then it is time for a refresh. Use the opportunity to restate the data standards you require for your teams and colleagues to be compliant. Data management and data privacy may not have been in Dicken’s mind in Christmas Carol but they are the skills to equip us all for our 2018 digital past, present and future.

The contents of this blog post can be shared and re-used under the terms of a Creative Commons Attribution Share Alike Licence http://www.creativecommons.org