Simon Fitchett, COO of UK Data Group discusses the importance of ensuring Data Security and the role HR Professionals can play.
The big, scary elephant in the room
There are scaremongers galore whenever you mention GDPR –the General Data Protection Regulation – coming into force on 25th May 2018, and the focus often falls on the fines and penalties for non-compliance!
However, when the hysteria and panic subsides GDPR is found to be less a horror story and more a logical re-alignment of current legislation with an evolution & modernisation addressing the shortcomings of existing Data Protection Directive (DPD) rules.
GDPR is intended to legislate a common-sense data security approach offering protection by design and by default.
In short; GDPR will address the desire to minimise the collection of personal data – or in business terms – only keep and manage the data you need!
Only keep what you need
The trend is to view Big Data as a valued business approach – the more data you have the better for your business – however, GDPR will encourage business to delete personal data that is either no longer necessary or valid to their business needs. You cannot lose what you don’t have!
In addition, the common-sense approach aims to restrict access to the data you do hold, and secure that data through its entire lifecycle.
It is very important to understand that GDPR is aimed at personal data and an individual’s businesses email address is deemed personal!
Think names, addresses, phone numbers, credit card and / or account numbers, and email and IP addresses.
Consent is at the forefront. And once you have consent, total transparency and clarity on what you will do with personal data leads to the “Right to Erasure and Right to be Forgotten”
Although an EU directive, GDPR applies to ANY business that collects data about EU subjects – if you trade in the EU you need to comply!
Again, in simple terms: All e-commerce and Cloud based businesses are included with all the security implications that creates – you do not need to have a physical presence in the EU and you need to look after your data!
Securing Your Data
One of the highest profile mandates set out by GDPR is to ‘keep customers data safe’, after all this is all about ‘Data Protection’. Sounds fairly simple in theory but not always the case’’.
Without over complicating it, the primary reason for organisations being hacked or losing data are that the majority of businesses, large or small, operate over congested shared networks.
In today’s ever-changing world technology is only as good as the infrastructure its sits on and the same applies to security of data.
Think secure infrastructure
Ensuring data is stored and managed on secure infrastructure is vital and only then can security, control and ownership of personal data be truly demonstrated and evidenced.
So, the message for UK businesses is clear. Awareness of your data—where is the data stored, who is accessing it, how is it being managed is now even more critical. Infrastructure MUST be the foundation of GDPR compliance. There is little or no point of implementation businesses wide GDPR compliance if the door to the data is left open!
Do we need specialist GDPR Training?
The UK GDPR Authority is the Information Commissioners Office (ICO) and they state very clearly:
THERE IS NO FORMAL ICO ACCREDITATION OF ANY PRIVATE TRAINING BODY
There are a plethora of training providers promoting lengthy and relatively expensive training courses for businesses to be GDPR compliant and accredited.
Are they beneficial? Perhaps. Are they a GDPR pre-requisite? Absolutely NOT and in my view not an expense needed to be paid out to ensure you are putting your business in the best possible position.
Many businesses with less than 250 employees have been led to believe that they need a DPO – a data protection officer – to be compliant. Wrong again. Businesses simply need to establish WHO will be responsible for protection of customer and employee data and how that data is managed.
In my experience, HR functions can act as the ideal team to coordinate GDPR compliance internally and externally and this legislation offers an exciting opportunity for all HR professionals in the industry
- HR Professionals should embrace a business wide plan for GDPR implementation, policies and processes as soon as possible and not wait until 25th May 2018.
- HR Professionals should consider the role of the Data Protection Officer (DPO) and have plans and procedures in place for data control, monitoring and management.
- Data Security and the protection of personal data is imperative. Making sure you have secure, GDPR compliant infrastructure is vital
- Data Control starts with consent! HR Professionals should work with sales and marketing teams to review all current client data and manage the consent, usage and access / deletion GDPR requirements.
- GDPR is as much for employee’s protection as it is for client or prospect data retention and protection.
To discuss how you can secure your data and learn more about the efficiencies of training your HR teams, contact Simon Fitchett, COO, UK Data Group on; firstname.lastname@example.org or visit us on www.uk-dg.co.uk