The new rules on data protection shouldn’t pose compliance issues for firms, as long as they know how to act on it.
Experts on data protection and data governance have been in immense demand in recent months as the regulation comes into effect on May 25th, 2018. At the same time, many businesses and people have been leveraging the GDPR topic, as they’ve spotted an opportunity to take advantage of the general lack of knowledge on the subject and the current existing fear in many firms.
The Irish Times published a good article on GDPR today, which so far, in my opinion, it has been the most explanatory and straightforward regarding the concern.
According to Dr Katherine O’Keefe, a specialist in an Irish consultancy firm, “one of the biggest misconceptions that people have around data protection is that it’s a technology issue. The regulation is about trying to protect people and their rights. It’s not just a matter of making sure we have computer security – that’s a very important part of it – but it’s making sure [organisations] treat us as human beings with respect and making sure they have proper governance around what they are doing.”
She adds “… there is some confusion about aspects of the regulation, such as the misapprehension that it is ‘all about consent’ and that this is the only basis upon which organisations will in future be allowed to process people’s personal data. Consent is an important part – it’s one of the legal ways that people can process our data when we allow them to do that, but there are several other legal processing conditions. It’s about making sure that you have a justification to process people’s data and that you have a clear legal basis for it and are able to explain and justify what you are doing.”
Another interesting point is the assumption that the regulation applies only to EU citizens. For instance, according to a UK-based data protection and privacy consultant, “…GDPR will apply when an Indian-based company that processes personal data about people in India uses a data processor based in the EU.”
The Solution For Small Businesses
Larger corporations and firms have been addressing the new law for a while, making sure all actions taken are towards the new legislation. The main concern here is how small businesses are going to incorporate GDPR rules.
Michele Neylon from Blacknight Solutions, a hosting company I always had good experience in dealing with, says he believes overall awareness of GDPR among small businesses is “sadly lacking”. “While the bigger businesses might be aware and many have either done a lot of work on it or are at least trying to address it, a lot of smaller businesses aren’t aware how it impacts them,” he says.
He has observed a lot of people trying to sell “GDPR-compliant” solutions, which “simply do not exist”. Neylon says small business owners need to ask themselves questions about how they are collecting and handling personal data both physically and electronically. They need to look at what data they have, ask why they have it and whether they still need it, he adds. “I’d also urge every small-business owner to invest in a couple of good-quality shredders,” Neylon says.
So, what are the simple rules to follow to start with? Delete old data, destroy physical copies and make sure, from now on, all relevant information kept on files digitally is stored within a system/platform compliant to the rules.