Having been working with an array of businesses in conjunction with the new GDPR legislation, I have observed a lot of bad practice and have heard stories from a wide array of sources that have left me with my head in my hands. Here are a few of them.
- ‘Listen to me I’m “GDPR certified”’
Saying that you’re GDPR certified is like saying that you are certified to fill out your tax for the year. These people are essentially bragging about being able to obey the law. In reality, what these people are is GDPR trained, which in itself is a broad term, as “training” can range anywhere between a half an hour webinar and a full training course that takes multiple weeks to complete, the likes of which you have probably seen being touted around LinkedIn on a daily basis.
Advice: Steer clear of anyone conveying the message that they are GDPR certified. If they don’t even know that there is no such thing as GDPR certification, what else do they not know about it?
- “GDPR doesn’t affect my company”
Okay, in fairness there is a possibility that GDPR doesn’t affect you. However, if you are part of the large majority of companies and you come out with this bold statement, in the long run you are putting yourself at unnecessary risk. The likelihood is that you are encompassed under the fallout of GDPR but, to either a lesser extent or there are some factors that have been overlooked. Did you know that communications with your suppliers and clients, and understanding your role as either a data processor or controller is one of the key checkpoints on the route to GDPR compliance?
Advice: Establish a formal agreement with any relevant companies as to what each company’s role is when it comes to the control and processing of personal data.
- “The personal information that I store isn’t in GDPR”
What is defined as personal data is one of the key battlegrounds for GDPR warriors debating over how the regulation will affect businesses; many are using the ambiguity surrounding it as a form of scaremongering. The easiest way to distinguish between whether a piece of information is personal or not is to ask yourself does this make a person individually identifiable. For example, a full name is not included in GDPR as several people can share the same name, however an email address is because it can be traced back to the sole owner of an account. An interesting nuance to this was made aware to me when talking with an app developer recently, who use location tracking in-app which can be traced to a single point, and thus is personal information.
Advice: When beginning your GDPR compliance journey, the first step would be to classify and prioritise the data you hold.
- “This product will make you GDPR compliant”
GDPR compliance is so broad that a “one size fits all” product does not exist and nor would it make you GDPR compliant. GDPR, apart from anything else, is an exercise of education and understanding rather than a patch-up problem. When tackling GDPR, think about it from the perspective of the people whose information you’re protecting and know that other companies will be taking the same steps to protect yours.
Advice: Understand how any information you are storing can be made vulnerable in terms of how it is stored and how it is accessed and transferred by employees, as end users are often the easiest target for a security breach.
- “Now I’m compliant I’m in the clear”
GDPR is an ongoing process that requires monitoring once compliance is achieved and should be reviewed and checked whenever there is a change in process, change in data storage, the addition of new groups of data, etc. Think of GDPR as a live process with the need for frequent checks and nurturing to ensure its success.
Advice: Schedule checks for GDPR regularly and make a conscious effort to consider it when making large and small-scale decisions. A good step is to implement systems monitoring and utilise penetration testing when changes are made to ensure you have secure systems.
These are just a few of the some of the worst lies you’ll get told, give Lanmark a call on 020 7123 4910 and ask for Dan.