The General Data Protection Regulation (GDPR) has come at an interesting time in our lives. People make their personal data readily available to companies or through a multitude of social media tools, either knowingly or unwittingly. Just looking at the proliferation of ‘Connect’ requests on Linked-In, Facebook etc gives a sense of our personal data being available to a wide body of people and organisations.
I recently heard a comment that GDPR was brought in by the EU as a way to break what was seen as the data monopoly by some organisations. However, I like to think GDPR was brought about to strengthen the rights of individuals; improve protection by fixing what wasn’t working in the previous legislation; and enforce consistency across Europe by now passing a Regulation rather than a Directive.
Public bodies, Government agencies etc. do not have a good track record of protecting people’s data – looking at the ICO website for enforcement action for Q1 2017 shows that 73% of all incidents were in this sector. That doesn’t mean that the private sector can gloat as 27% is not a good situation either!
For those of you who were involved in the much-maligned Y2K or ‘Millennium Bug’ you could be excused for thinking that GDPR was déjà vu. It’s been 20-ish years since the Y2K projects started but the same “it’ll never happen” versus “we’re all doomed” comments seem to be resurfacing; the 2-4% global turnover regulatory fine has been effective at focussing attention on GDPR.
I worked in a trading floor at the time and there was a huge (i.e. expensive and time-consuming) project to identify affected systems and processes. Quite a few instances were discovered and it did stop ‘things’ working. Was it the end of the world like some predicted: no. Would it have impacted operations on 01/01/00 if left unchecked: yes? Was it a timely overhaul of outdated systems and processes: definitely yes!
What the lead up to Y2K did do was focus staff, and most importantly, the executive’s attention to the risks and impact of doing nothing - sound like current conversations? The risks of doing nothing far outweigh the investment. Did that result in getting systems, infrastructure and controls updated: yes.
GDPR is an opportunity for anyone who thinks in such terms: we all win as our data will be more secure and we won’t be constantly pestered unless there is a lawful reason to do so.....and if there isn’t we can object and stop it; the public and private sectors can win as there is an opportunity to transform, streamline and improve their IT/processes and stop hoarding (and therefore paying to store) data; IT and developers can win if they design privacy into their tools – it makes them more attractive (and marketable) if they can say exactly what data is expected and the data flows are already mapped out.
I believe that there are many opportunities for the implementation of GDPR for SMEs, and that it will be a great example of how an SME can deliver a positive change in Government. Not one to fear.
Securestorm was formed when our co-founders made a decision to leave the limitations of the Big 4 environment to set up a lean, responsive cyber security consultancy that provided practical advice with the aim to simplify the world of Cyber and Cloud Security.
Complete techUK's SME Survey here and help us make the case on your behalf.