The EU’s new and far-reaching General Data Protection Regulation (GDPR) affects every aspect of a business, not just the IT department or top management.
The EU General Data Protection Regulation (GDPR) is already law right across the entire European Union, including in the UK, but from May 2018 fines for failing to keep personal data appropriately secure—even when no breach has occurred—authorities will be able to impose fines of up to €20 million (approx. £17.2 million), or four per cent of annual global turnover, depending on which is greater.
It’s not an idle threat. Unlike previous data protection directives, written into law individually in each member state, the GDPR will be implemented uniformly across the bloc, and both the European Commission and EU parliament, as well as the member states, have all made it clear that they intend to follow the letter of the law. Britain’s Payment Card Industry Security Standards Council (PCI-SSC) has warned that UK businesses could face up to £122 billion for data breaches once GDRP enforcement kicks in—dramatically up on 2015’s level of fines of £1.4 billion.
Despite this, ignorance remains pervasive.
A recent Security Tracker survey by Shred-It found that 84 percent of small UK business owners are unaware of the GDPR. Meanwhile, Ireland’s Data Protection Commissioner, Helen Dixon, recently told The Sunday Business Post that there was “relatively low levels of awareness” of even current levels of requirements under data protection law and “very low awareness” of the GDPR, particularly in micro-businesses.
[cta link=”http://www.trc-solutions.com/gdpr-and-your-business/”] Download the GDPR Guide from TRC Solutions [/cta]
Even within organisations that are aware of the GDPR many staff and executives do not realise quite how serious it is, and there can be significant “siloing”, such that one department may be up to speed while other are not.
One common mistake is to consider the GDPR “an IT problem” or mistake it for a simple question of security from cyber attacks.
Given the severity of the punishments, which are enough to bankrupt many medium-sized enterprises, businesses need to sit up and take note of the GDPR, rather than view it as a “tech problem” or something that can be fixed with a statement from the top brass.
Medium and smaller enterprises are precisely those who need to seriously think about compliance, sooner rather than later, according to our SAP Solutions Director, Steven Maguire.
“I think that everybody is busy; they have priorities in the business, which are around the running of day-to-day operations. All of a sudden this label of ‘data controller’ has descended upon them and it will be the medium to small enterprises that don’t have the resources of a full-time Data Protection Officer among their board members,” he said.
Of course, IT does have a significant role to play, not least in helping to guide both the board and other departments toward a compliance solution, as well as ensuring that staff are suitably trained and stick to the guidelines, but other departments need to not only be aware of the GDPR but stick to the regime a business has chosen to use to comply.
Similarly, the Chief Executive or Managing Director has a role to play in passing information down through the business, but although the buck will stop at the top, it can’t start there.
Departmental “buy-in” is essential because in the face of the GDPR ‘siloed’ departmental data repositories are a disaster waiting to happen. For example, human resources (HR) departments hold data on employees, both current and former, as well as job applicants.
Given that former staff and unsuccessful candidates are the dictionary definition of a person likely to make a claim of data mishandling, HR alone is a minefield.
Bear in mind that the basic provisions of the GDPR are that personal data that is collected and stored must be relevant, stored securely, kept up to date, made available or removed on request of the person whose personal information is held, and stored for no longer than the regime allows.
Suddenly HR’s database—or worse, shared spreadsheet in Dropbox or Google Docs, is a ticking time bomb.
In this scenario employees responsible for fielding CVs, passing on bank account details to payroll, or noting career development courses, must be aware that it is now their duty to ensure that the data meets the GDPR standards. HR management, meanwhile, has a responsibility to encourage and, ultimately, enforce the regime and explain to staff why ad-hoc storage and the practice of ’shadow IT’, where business data is transferred to unauthorised systems for the sake of convenience, must stop.
This can be multiplied right across the business with similar scenarios in sales, marketing, accounting and any other department that comes into contact with personal data—which, these days, is every department.
[cta link=”http://www.trc-solutions.com/?page_id=232″ colour=”green”]Arrange a call with one of our SAP Business One Consultants[/cta]