….is a statement that many companies seem to be making either explicitly, by looking at what they think needs to be done and thinking it doesn’t apply to them or implicitly by not even making the time and effort to find out what needs to be done.
Of course this could be true IF a company deals with absolutely NO personal data, oh, and has no employees, and does nothing to record personal data on CCTV for example.
In reality of course, most companies have some of the following:
- employees and they have personal data
- customers, who have personal data
- suppliers, who might have personal data, particularly sole traders
- marketing contacts, who have personal data
- support contacts, for whom there may be personal data
- and more
All of the above might be in one system, or they might be in:
- HR systems
- CRM system
- Contracts Databases or Accounts Databases
- Sales Databases or email marketing type systems
- ITSM tools or helpdesk software
- Email, desktop applications, spreadsheets, local or network storage
So who is responsible for GDPR here?
- Head of HR
- Head of Customer Support
- Legal or Head of Finance
- Sales Director
- Head of Service Management
- Head of IT
But that is only the Data view, and in reality only some of the things you need to be worrying about when it comes to data.
What about the other areas of GDPR?
- Who is going to be the nominated ICO contact?
- Who will write the data processing statement for one or all departments?
- Who will be responsible for incident management or breach reporting?
- Who will respond to data subject access requests?
This is only a small subset of the areas and responsibilities that businesses need to consider with respect to GDPR, it is here to illustrate how GDPR relates to nearly all businesses.
But why should businesses worry about all of this now when the Data Protection Act has been around for years. Many businesses even if they have registered with the ICO have had very little to do under the DPA.
A Game Changer
GDPR is going to change all that – Elizabeth Denham – Head of the ICO says ‘GDPR is a game changer’
There are lots of good reasons to comply with the GDPR, government and public bodies are starting to see that it’s going to be the only way they can do business, and in turn businesses that deal with government and public bodies will have to follow suit.
For others it might be the stick that provides the encouragement or the punishment by which businesses look to comply.
Data Subject Access Request (DSAR)
The ability of anyone to request access to their data from any organisation free of charge – and this must in most circumstances be provided in 30 days will cause a lot of companies significant pain.
Don’t underestimate the number of disgruntled employees and any customer who has ever complained, suppliers who haven’t been paid, potential customers who have received one to many phone calls or unsolicited emails.
DSAR is just the start
If they have received the data the next step might be to ask for it to be deleted, completely ‘removed’ from the organisations systems. If this can’t be done they have a right to ask for a restriction of processing or to object to processing, until a suitable remedy is found.
Data Subject rights
Aside from the above an organisation has to inform every data subject of what data is held, why it’s held, what happens to it, who has access to it, how long it is kept for, which of the conditions of processing the business considers are in force, where the data came from if it isn’t collected directly, the data subjects rights with respect to how the data is used.
For data collected and used solely for the purposes of direct marketing, the data subject has the right to object to that processing, no if’s or buts, the processing must stop.
Not complying with the regulation could also be costly – ‘certainly much more costly than the current fines’
GDPR states “the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation” – “shall in each individual case be effective, proportionate and dissuasive.”
And with fines of up to 4% of “total worldwide annual turnover” or 20,000,000 Euro whichever is higher that is a very big stick indeed.
For more details about our auditing services please click here.
© GDPR Auditing 2017
The information provided in this post is for general information only and is not intended to provide legal advice.