Part 2 – GDPR Compliance. Health and Safety for Data.
OK it’s not the most riveting subject, but sometimes that’s life. To resume from last week, the issue is that by May 2018, all of us who have European clients or contacts and hold data, will have to be compliant with the EU General Data Protection Regulation 2016/679.
And to focus all of our minds, the fines which can be imposed on those whose lack of attention to the rules have contributed to a data loss, could close down our businesses entirely.
If we assume that the steps discussed in my Blog last week – link here – have been taken, then you have your Data Protection Policy written, and a Privacy Notice ready to give to each new client or contact.
So that’s all fine, but no business can operate in a vacuum. Imagine how many third parties are in the chain between Amazon, say, and its customer who has ordered a new watch. Banks, couriers, web search engine operators, third party suppliers, all need to be sharing some aspect of the data which has been given to Amazon.
In my own case, I use agents to attend Consular offices, and I use Couriers. And of course I cannot mend my own computers or set up my office network or website. So there are boffins who occasionally need to get inside my computer remotely. Which means of course that everything I store on it – absolutely everything I know about my clients – can be stolen if I let the wrong person have that access.
So next to protect yourself so far as possible, you obviously need to choose these people as carefully as you can. And in the modern world, after everything has gone wrong in spite of your best precautions then you will be required to document the basis upon which you have reached your final choice. I suspect that “we just googled the cheapest” will not cut it.
Therefore, you will be wise to create a “Policy upon Appointing Suppliers” document. Of course, that will be a rod for your own back, if having created the document, it turns out that one of your employees just “Googles the Cheapest” anyway. You need to ensure that every person in your business who can make deals with suppliers, reads the policy and acts upon its principles every time.
This can be the hardest part of the whole endeavour. If you have bright independent-minded work colleagues and employees, one of the most frustrating things a manager is faced with is getting them to behave in accordance with the policy in the manual. The phrase “herding cats” sums it up. It really will be necessary to refer to the data protection policies of your business as a routine item at every board meeting and team meeting to keep it in the forefront of everyone’s mind.
Industry has taken on board the responsibility it has to health and safety; now it really must give the same attention to the safety of the data it holds. Doing so will protect the financial health of your business.
Once you have your policy as to how to choose a supplier you will need to consider how to apply that policy in a particular case. Sometimes, businesses will consider that the specialist knowledge of the supplier is so far removed from their own that the best practical measure is to issue a questionnaire. At the least, you can seek the supplier’s assurance that it is aware of its own Data Protection responsibilities and has its own policies and measures in place.
The cynical will say that the whole thing is an exercise in CYB – Cover your Back. But honestly, even if everyone does have covering their own backs as the primary motive for compliance with the rules that’s not such a bad thing.
Same as driving within the speed limit, it doesn’t matter if the motive is to avoid fines and disqualifications – still the result may be that nobody died.
Every business is different so each one will have to come up with its own policies, rules and questionnaires, and decide for itself how many meetings to hold and how often.
But a most important point is, that everyone, repeat everyone, needs to be included in the process.
I imagine that a hacker would probably not try to scam data access from the Chief Executive Officer of your business. If your part time receptionist has a computer, then that is as good as the CEO’s computer, and it may be an easier task to scam access there. By, pretending to be “from IT” or whatever.
Vigilance as ever is the key and as I said last week, I am very open to ideas and suggestions from you. Do please get in touch and tell me how you and your business are facing up to GDPR for 2018.
And in the meantime, as ever – our message to you is, for documents for use around the world do contact me or Louise Morley here at AtkinsonNotary E7 Joseph’s Well Leeds LS3 1AB, phone 0113 8160116 and email firstname.lastname@example.org or via the website http://www.atkinsonnotary.com