Here’s the scene

Everyone and their dog in IT reseller land is sending you out hundreds of emails a week about GDPR.

You’ve got users with problems breathing down your neck who won’t leave your desk until you’ve reset their password, which if they’d only just remember them you’d get some work done.

You’ve also got those ‘special’ users who should be removed from all electronics and at the very least be spoon bending on TV or the worst ones should be on Netflix’s Stranger Things.

So… Have you looked at those marketing emails about GDPR?  Not a chance!

What’s the fuss about GDPR?

Okay in a nutshell, the Data Protection Act, which hopefully you’ve heard of, and dealt with your responsibilities for already is changing.  As the IT Manager, you may have signed up your organisation to be a data controller and paid the fee to the nice people at the Information Commissioners Office in Wilmslow.  Wilmslow is pricey as you may know.

The Data Protection Act was actually incorporating an EU Directive on Data Protection, which basically meant it conformed to a common standard across Europe.   The good old British DPA was actually seen as a good practice implementation of the law, but times have changed, more data is electronic and the threat much greater to privacy and other concerns.

Therefore, our former friends in the European Union have developed the EU General Data Protection Regulation or GDPR for short.  The important note is that this is not a directive of the past this is automatically the law.  It is likely that the Information Commissioners Office is going to be the body responsible for enforcing this, but information is currently a bit sketchy despite all those marketing emails you’re getting.  We suspect that over in the ICO there are a few vampire teeth growing as has happened with the HMRC of late.

Anyway, this time there is no need for that law to be passed as it flows directly from Europe.  We didn’t know they could do that either!  But they can.  And they have!

What about the B word?

Brexit, but yes I was thinking of the other word too.  As of the time of writing, nobody knows what’s going to happen with Brexit and the UK Government (at present we don’t have one due to a General Election) intends to enact the Great Cut and Paste Act (Repeal Bill really) and take all of the EU laws and copy them.  And they tell you plagiarism is bad at school eh! (wonder how the Information Commissioner will feel about that)

Personally, we can’t see how it’ll work post-Brexit due to there being no interface with any EU agencies on the issue of data protection and only the UK Information Commissioner remaining relevant.  One thing is for sure, if the EU GDPR turns into the UK GDPR it gives our own Information Commissioner more teeth.

GDPR is to be Ignored at your Peril

We’ll tell you why.  It has much less to do with doing the right thing, looking after personally identifiable information and stopping global hackers from attacking our infrastructure.  It has everything to do with money.

The agencies in the UK have gone under a great deal of change since the recession.  Largely they have begun to cover large portions of costs through fees, fines and penalties.  It is anticipated that the ICO will be able to cover the costs of enforcement of the GDPR via fines of non-conforming organisations.

We would also expect your insurers also to become quite hot on this also to ensure they’re not hit with any liability for any non-conformance.

What next?

You may have remembered the DPA from school and signed up your organisation to be a data controller, merely for run of the mill stuff such as payroll processing – even if it wasn’t really notifiable, it was better to stay safe.

Inadvertently if you’re the contact for the DPA at the ICO you may have volunteered so it’s time to get a team together!

GDPR now needs to become a better process in your company and be between IT and the executive management or board of directors.

Ultimately, like so many Information Security and Cyber Security related issues – this is RISK based.  So you should really be working on a risk assessment or have a competent person come in and produce one for you.

Starting with your information assets, you then need to look at all your associated risks and begin to develop a proper plan.

Here at Unleashed we’re happy for a no nonsense and free chat and we’ll let you know if we can help or not in your specific circumstances.  Why not give us a call on 03332400565 or visit our contact page and drop us an email.  You can also read more in our developing GDPR section of our website.