Giving data proper respect: A business leader’s guide to GDPR
GDPR has become somewhat of a business buzzword in the last few years. I heard it mentioned a lot at Leeds Business Week and Thrive Yorkshire, and nowadays it’s all I ever see on LinkedIn!
Odds are you will already be familiar with GDPR. But for those of you who aren’t, it’s the new data protection law coming into action in the UK from 25th May 2018, replacing the current Data Protection Law 1998. It mainly focuses on accountability. This means that, in brief, YOU as a business leader will be held accountable for any data breaches. Breaching these new regulations can result in a fine of either 4% of your global turnover, or €20 million; whichever of the two is higher. It applies to all businesses, so if you’re a business leader then it’s essential that you’re clued up about it!
This is part of the reason why I, and many other business leaders, attended the Cyber Security EU Conference in Leeds last month. This year’s conference focused on, you guessed it, GDPR. With speakers among the likes of AQL’s Adam Beaumont, Stephen Porter from BSI, Chris Allen from Blacks Solicitors, and many more, I was certainly excited to hear what everyone had to say on the topic. You can catch up with the conversation on social media via jrc.agency, Cyber Security EU & The Agenci…
There’s been a huge increase in data breaches over the last few years. And you may think that data breaches only happen to global tech companies, with the likes of Talk Talk, Yahoo and Three all falling victim to online hackers in recent years. But it’s not just these larger companies that are being targeted. As Stephen Porter from BSI mentioned in his ‘Don’t try and achieve culture change overnight’ seminar, a shocking 74% of businesses reported information security breaches in 2017. This isn’t an IT issue. It’s a business issue. Something that EVERY business leader needs to be aware of, and something that EVERY business leader needs to have a plan for.
What do business leaders need to know?
As a business leader it’s important that you understand what GDPR is before putting a plan in place.
- The current Data Protection Act (1998) will be replaced by the EU General Data Protection Regulation on the 25th May 2018.
- There are six main principles, focusing on accountability. These are: ‘Lawfulness, fairness & transparency’; ‘Purpose limitations’; ‘Data minimisation’; ‘Accuracy’; ‘Storage limitations’; ‘Integrity and confidentiality’.
- Businesses that breach the GDPR regulations will receive a fine of either 4% of their global turnover or €20 million (whichever is larger).
- All data breaches must be reported to the ICO within 72 hours.
- Companies will need to put a process in place for dealing with data breaches. This includes taking into account customer privacy in your services and conducting Data Protection Impact Assessments.
- You will need to appoint a Data Protection Officer.
- The Data Subject has additional rights including the right to be forgotten (although Professor Adam Beaumont explained why this could be tricky, which I’ll get onto in a bit). You’ll also need to seek consent to store the information that you hold.
- There will be GDPR advertisements on TV in April 2018 to raise awareness of the new regulations among consumers.
- The ICO used to run on government funding, but this is no longer the case. The ICO now rely on the money they collect from fines, which means they’re likely to be stricter with these regulations.
Areas for concern
Like a lot of rules and regulations, this all needs to be considered in context. As AQL’s Professor Adam Beaumont highlighted in his talk, the way that content is stored on the internet makes it fairly impossible for data to be ‘forgotten’.
And the requirement of seeking consent to store information could prove particularly tricky for marketers, as you need ‘proof of consent’. The ICO state that “there must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity”.
At any time, a consumer or the ICO could ask you for proof that you have consent to store their data. This means that if you collect data on the phone, you’ll need to record and store all of your phone calls. And if you send marketing emails, you’ll need to ask for consent before sending out any further emails. But how are you supposed to ask this if you can’t send them an email to ask for consent? It’s all quite vague at the moment, but it’s something that will hopefully become clearer as we draw closer to GDPR. From a marketer’s point of view, this is definitely something to keep an eye on.
My take on this is that if you approach data protection with common sense and respect then you’re on the right path. As someone pointed out to me, GDPR simply stands for ‘Giving Data Proper Respect’!
How can business leaders work towards GDPR?
- Get your board on-board
One of the first steps that business leaders need to take with achieving GDPR is to get your board to take it seriously. The board understand risk and after all this is simply risk management, so it shouldn’t be too hard. Protective Intelligence’s Vince Warrington advised to not focus on threats and vulnerabilities, but rather keep it at a higher level and focus on risk reduction and mitigation. Performing a risk assessment could be useful to discover any gaps for potential hackers. Senior management love to hear “We have a risk, and here’s how we’re going to solve it”…
- Refine your knowledge on GDPR
It’s important to realise that you’re not going to be able to achieve GDPR overnight. It will take weeks, probably months, of planning and taking small steps. A lot of this will be refining your knowledge on GDPR, which can consist of taking training courses or even just doing some online research. As Stuart Hyde QPM from CISP mentioned in his talk at the Cyber Security EU Conference, it could be a good idea to at least review the National Cyber Security Centre blog. Some other useful GDPR blogs include The Agenci, the ICO & IT Governance.
- Get your team up to speed on GDPR
Whilst it’s essential to refine your own knowledge on cyber security, it’s just as important to encourage cyber security awareness within your workforce. After all, what’s the point in spending time and money on improving your company’s online security if an employee then downloads an email with a virus attached? One way to combat this could be to sign up for company-wide training on how to improve basic online security in the workplace. You could also implement a data protection policy, guiding employees on how to keep customer data secure. Take into account employee behaviour and how to develop a more secure culture within your team. As Melanie Oldham from Bob’s Business highlighted, it’s important to understand that people are driven by emotion and wanting to do a good thing, but may simply be unaware of how they’re effecting company security.
- Improve your online security
As you can guess, there are more complex steps to improving cyber security too. Salt Agency’s Reza Moaiandin mentioned the importance of ‘protecting your doors and windows’. The key message from this was that IP addresses are often the easiest way in for hackers. Putting them behind a Content Delivery Network (CDN) such as Cloudflare can improve the security and speed of your website!
Investing in the latest data encryption software can keep your data more secure too. Encryption software scrambles any customer data to make it unreadable to anyone without the decryption key. So, if you do fall victim to a data breach, your customer data will be a lot more difficult for hackers to access.
As you can see, there’s a lot that business leaders need to consider with GDPR. But if it protects the security of your customers and your business, then surely it’s worth your time and effort? I certainly believe it is!
We’ve also got to remember that we’re still in the very early stages of the ‘digital revolution’. At the moment data hacks are one of the most serious issues in the digital world. But in 10, 20, 50 years’ time it could be a whole lot worse, and we need to prepare for this. Catherine Knibbs MSC spoke about the potential of hacking internet-ready devices – could your fridge come into your bedroom one night and murder you? She was a fascinating speaker with so many stories, most of them horrific, which certainly made me far more worried about my children and their devices!
To get free digital marketing tips and advice delivered to your inbox, sign up to the jrc.agency blog.