By Tom Martin, MA, MIITD, LIB, QFA, CUA, CUC, CUG, CMILT, AMSOE, AMIRTE
So what exactly does the introduction of GDPR mean, and how will this impact you?
As a general rule of thumb, the larger the organisation, the sooner you need to commence preparation.
This week , in part 2 ,we look at the 10 different ways that GDPR could impact on your business and how to prepare .
GDPR introduces significant increases in the rights to privacy of individuals, and greater obligations on organisations to protect and safeguard such privacy.
GDPR introduces very hefty fines for non compliance – up to €20Million or 4% of your business turnover – not profit.
GDPR imposes stringent obligations on organisations regarding data breaches to the Data Protection Commissioner, and the need to take prescribed actions to rectify such breaches.
GDPR requires larger organisations to appoint and resource a Data Protection Officer.
GDPR tightens the definition of consent. Organisations can only obtain information and data from their customers/clients/service users with their consent, that is freely given, fully informed, and unambiguous. It is no longer acceptable to “tick” boxes, or infer that inactivity on behalf of a customer, is your consent to use their data. This element of GDPR will place the greatest burden on organisations preparing for the introduction of GDPR and ensure they are fully compliant.
GDPR introduces obligations regarding websites, and tracking “cookies” on websites. There are significant Information Technology implications for most businesses, as the way information is stored, captured and used, will change, and IT systems must also change to ensure full compliance with GDPR.
GDPR enshrines the “right to be forgotten”, or in other words, to compel organisations to delete personal data held by them about you. Organisations must ensure that they have procedures in place to ensure that such requests can be received and accommodated.
GDPR compels organisations to deliver the personal data of an individual, on request, to another organisation. This will have significant impacts, both financial and human resources, when a customer transfers his/her business to a competitor.
GDPR clearly defines the responsibilities and obligations of organisations collecting and retaining data, and also outlines the liabilities that they are assuming.
GDPR outlines specific steps to take when obtaining information from children under age 16, together with the form communicating with children must take. This will have obvious implications for sporting and other organisations.
The key learning here, is that GDPR cannot be ignored, or pushed into the background. For those of you who are old enough to remember the introduction of the Euro on the 1st January, 2002, (I have my hand up here!), the GDPR has some similarities, in that the date is immovable, and you must be ready beforehand, or else you will find yourself in trouble.
IT providers are likely to be inundated with requests to update websites, point of sale outlets, receipts, staff files, customer access etc., so approaching your IT provider the week before GDPR will be enforced, is not a good idea.
Having worked on GDPR with a number of diverse organisations, what is very clear to me, is that each organisation is unique, and each will have to examine all areas of their own business, and examine how GDPR will impact upon it. From there, each business will have to draw up their own plans on how they can ensure compliance with GDPR, and avoid drawing the wrath of the Data Protection Commissioner, and the risk of incurring fines and other sanctions.
The Data Protection Commissioners’ office is ramping up their own resources in preparation for GDPR and have already stated that they will commence the process of inspecting and examining businesses for full compliance, immediately after GDPR is introduced.
So, do you need to panic, or is GDPR something that will settle down after a while and you can ignore it for now? Whatever you do, don’t ignore GDPR – it is imminent, and can have very costly consequences if you are deficient, negligent or non-compliant. That being said,
the preparation for GDPR doesn’t necessarily have to be an onerous task – if you know what you are doing, have proper action plans in place, and begin the process of preparation as soon as possible. As a general rule of thumb, the larger the organisation, the sooner you need to commence preparation.
A final thought – GDPR will shortly be with us, and is going to stay with us, so it is not an optional extra.