GDPR is everywhere at the moment. Almost daily, you’ll read something new about this law. It’s fair to say that many companies are concerned about it. Some of the fear is rooted in scaremongering because of misconceptions or in a bid for companies, claiming to be experts in the new law, to sell ‘off the shelf’ GDPR solutions. But is all the information that we receive true or false? Within this article we debunk a few of the myths that you may have come across recently.
GDPR is all about Fines.
We’ll start off by explaining the purpose of these fines. Yes, it is true that they are substantial. Constant news headlines explain that 4% of Annual Global Turnover, or €20 Million (whichever is greater) are the maximum that can be enforced, and to most companies, that is worrying. However, the ICO have explained on several occasions that this is not a ‘go to response’ in the event a breach occurs. These fines are considered as a last resort. You’ll know that you can never be 100% secure when a computer is involved. This is true, and to simply issue a fine without any understanding of the situation would be unreasonable. In the event a data breach occurs, and you have followed the correct steps outlined by the ICO, an investigation will be carried out. If you can demonstrate that you have done everything possible to ensure security of the data you hold, it is very unlikely you will receive a fine. However, if you fail to report the breach, or have unsatisfactory security measures in place, or simply show a lack of care with the data, the ICO will look differently upon this situation.
GDPR is like Y2K
The ICO have covered this myth, and we would like to reiterate the importance of it. Companies are preparing for the deadline of the law – 25 May 2018. GDPR is enforceable from this date. In 1999, people were planning for the Y2K deadline, with computers to crash and planes to fall from the sky. There is no need for that level of fear with the new law. Preparation for GDPR does not end on the 25th May 2018, it requires an ongoing effort to continually comply. Like all other laws that we abide by, this is no different. To continually comply with this law, you will be expected to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.
GDPR is all about security.
Over the past few months, we’ve discovered that a number of people believe that if their company has a robust IT security system in place, they won’t have to worry about the new law, as their personal data is protected. Firstly, we can categorically tell you that this is not the case. The new law concentrates on how personal data is processed, handled, and discarded. It is not solely focused on keeping it secure. GDPR also covers data that is kept in hard copy, which does make an IT security system obsolete in that regard.
That being said, Deputy First Minister John Swinney has stated that all Public Bodies in Scotland must obtain a ‘Cyber Essentials’ Certificate as a minimum. The Information Commissioner has also noted publicly that achieving Cyber Essentials accreditation can assist with preparing for GDPR.
The GDPR law requires that technical measures should be in place. These are very well covered by the UK Governments Cyber Essentials Scheme. There are also Legal, Training, HR and QHSE considerations to be made.
As one of few Scotland based Certifying Bodies of the Cyber Essentials Scheme, Clark IT can help you take the steps to comply with the new law and increase the security level of your organisation.
Clark IT are part of a group of like-minded companies who can help provide professional advice on these specific compliance requirements.
GAP Analysis
Clark IT have successfully carried out several GAP Analysis’ which allow us to map a pathway for an organisation’s GDPR compliance. This is a low cost, low risk method of understanding what is needed to comply.
