GDPR Focus – Awareness
The deadline is now fast approaching to identify the missing links and make the necessary changes to comply with GDPR in relation to how you collect, store, manage and use Personally Identifiable Information (PII) within your business.
Following the 2-year post-adoption grace period, the GDPR penalties will become fully enforced throughout the European Union from the 25th May 2018.
Providing that you are complying with the Data Protection Act (DPA) your business should have a good foundation for you to build on, as many of the principles are the same.
However, once you start to analyse what the key changes are – you will find that activities and processes your business carries out as part of their usual routine could be considered as serious breaches under the GDPR.
Taking steps now to make the necessary changes will avoid you being faced with fines of up to 4% of your annual turnover or €20 million (whichever is higher).
This is the first of a series of articles we will publish, focussing on the different topics relating to the regulation. With many companies still unclear on what they need to do, here are some thoughts on one of the key points, awareness.
It might seem obvious… but making sure that all the key people and decision makers in your organisation are aware of the regulation, and what the changes mean specifically to your business should be right at the top of your ‘to do list’.
Once these individuals are aware and appreciate the impact that GDPR changes will have on your business, it will help the message to be translated throughout the business in a clear and consistent manner.
Another scary reality is that you may well have individuals in your business who do not actually know what Personally Identifiable Information (PII) is. An interesting exercise would be to ask them! It’s probably safe to assume you will receive some varied responses…
For the purposes of GDPR, PII is defined into two categories; Personal Data and Sensitive Data.
This is any information that relates to an identifiable person (who must be living). They are referred to in the regulation as a ‘Data Subject’.
Personal Data can be obvious like name, address, an ID number, location data, online identifier (such as email address, cookie information or IP address) or less obvious such as information relating to the physical, physiological, genetic, mental, economic, cultural or social identity of the person.
This is when the identifiable information relating to the individual is particularly sensitive. The fines levied when breaches occur with information classed as sensitive are higher and they have additional rules and processing regulations.
Examples of sensitive data include Racial or Ethnic origin, Political opinion (unless the individual is a member of a political party), Religious or Political beliefs (unless the individual is affiliated with a church), Trade Union membership, Genetic/Biometric data, Health-related, Sex-life or Sexual Orientation.
I recently spoke to a key player within an organisation who told me he wasn’t worried because “he didn’t process PII in his business”.
During the conversation, it became clear that he was.
They were collecting, storing, processing and sharing names, addresses, telephone numbers and email addresses – all of which are PII. He was also sharing this information with his 3rd party providers who managed both his payments and logistics. Then there was the information he was holding on his staff….which he had not considered at all.
Businesses will need to be mindful of the cost implications to their business relating to implementing the new transparency and individual’s rights policies – which may need additional money spent on IT, resources, communications and governance.
It’s a good idea to encourage simple changes now while you take a more in-depth look at the bigger changes you need to make within your business.
Clear desk policies for example…
What do you leave on your desk at the end of the day that would be considered as PII? You are likely to be quite surprised at what is left lying around the office.
By Nicki Smith – KFA Connect Sales Manager & Certified GDPR Practitioner
This article is not a definitive list of the GDPR regulation, just a thought-provoking article to help raise awareness. You can find out more information regarding GDPR on the Information Commissioner’s Office (ICO) Website – the UK’s Independent Authority.
You can also take a look at the GDPR page of the KFA Connect website here.
If you have identified any areas where you require development assistance in order to comply with the new regulation get in touch with our friendly team.