GDPR and your business
On 25 May 2018, the new GDPR (General Data Protection Regulations) came into play.
Woking Works, its partners, and Surrey Chambers of Commerce have recently hosted two free business breakfasts in Woking, to help local firms get up to speed on what they need to do now.
Attendees heard the latest news from the ICO (Information Commissioners Office) and tips on how to make sure their business practices are compliant.
- Have you made all the necessary changes?
- Do you feel happy that you are meeting the regulations?
- Are you totally clear about GDPR?
If you aren’t saying yes to all of these, don’t worry - you are in good company!
You can still take advantage of the knowledge disseminated by our great panel of speakers, by clicking through to a summary of each talk and contact details to find out more.
Laurie Heizler, Barlow Robbins
Laurie is a solicitor with over 20 years' experience of intellectual property, data protection and commercial agreements. He acts for businesses, schools, charities and private individuals representing parties in intellectual property disputes, and advises on contracts in all technology sectors and regulatory compliance. Laurie enjoys helping clients reach a good understanding of intellectual property and show why it can add value to their enterprises, create revenue and protect key assets.
"All organisations should be working on their implementation of data protection both ‘by design’ and ‘by default’. Businesses should be ready to easily enable individuals to amend, restrict or erase the information you hold on them, and also have appointed a suitable manager to oversee GDPR compliance. If there has been a data breach, all businesses should be prepared to consider notification to all affected parties as well as to the Information Commissioner’s Office (ICO).
Businesses should also be considering data protection issues that are outside the GDPR and contained in the Data Protection Act 2018. The ICO can force a business to deal comprehensively with data protection complaints at very short notice or even prevent it from operating if it is improperly processing personal data. Another issue which has not been widely publicised is the need for organisations that control data to pay fees on a sliding scale to the ICO.
Future issues to bear in mind include questionnaires and data processing agreements, appeals against the very large financial penalties that can now be imposed, and the need for a legally binding agreement to allow the UK to share personal data with European Union countries after Brexit takes effect.
Members of the public have a low level of confidence in organisations that process their data. It is therefore important to take data protection very seriously now that the new laws are in place. However, compliance should not be allowed to stifle innovation and good business practice. The ICO is interested in pursuing the digital giants such as Facebook - it is not targeting small businesses that make thorough efforts to comply.
Nevertheless, the need for GDPR compliance did not stop on 25 May 2018 and the issues will not go away."
Yogesh Agarwal, RightCue Consulting Services Ltd
Yogesh is the Information Assurance Director for the RightCue–Arcom IT partnership, and has more than 14 years' experience in the field of IT risk management. A keen technology enthusiast, most of his work involves being a reliable and effective bridge between technology and business decision makers, and de-coding cyber to the Executive Management. As a privacy professional, Yogesh has been closely involved with developing processes for securing personal data for large enterprises as well as SMEs. He is also a GCHQ certified assessor for IASME-GDPR readiness framework.
“One major challenge before the small and medium sized organisations is to be able to successfully demonstrate that they have taken reasonable steps towards GDPR compliance.
This becomes somewhat simpler if the activities are broken down into three broad categories: Information Security, Governance and Accountability, and Regulatory Requirements.
‘Cyber Essentials’ is a UK Government-backed self-certification scheme, that helps businesses demonstrate good information security practices which can help to effectively implement minimum expected controls.
Similarly, the IASME Governance Framework (Information Assurance for Small and Medium Enterprises) can help with establishing IT Governance and data privacy measures. The ICO website has many resources available on their website, notably the Data Protection Impact Assessment, Legitimate Interest Assessment and data protection self-assessment toolkit which should be taken advantage of.”
Emily Hodges, Secgate
Emily is a cyber security and privacy consultant for Secgate Ltd. Her background is in mathematics and she is currently looking into the impact of quantum computing on cryptography (feel free to ask!). Recently, she has been helping a number of clients with their GDPR compliance; understanding the organisation’s objectives and priorities, developing simple processes aligned to existing ways of working, creating documentation to demonstrate compliance to stakeholders, and training employees on how to adopt privacy principles into their everyday roles. Secgate believe that compliance is a by-product of doing the right thing for your business. Good data protection is about respecting individual’s privacy. Getting this right will result in happier customers, happier employees and a more successful business.
“A lot of organisations are struggling with the GDPR - it is difficult to understand and it seems like there is an awful lot to do. Whilst having all the right processes, governance and documentation in place is extremely important, people often forget the true purpose of the GDPR: to minimise the privacy risk to individuals by following seven core principles.
All of your employees should be aware of these principles and encouraged to consider them in their day-to-day roles. By doing this, you turn the daunting task of compliance into a team objective where everyone can contribute.
The seven principles are below:
- Lawfulness, fairness and transparency: Is the individual fully aware and happy with my use of their data?
- Purpose limitation: What is the purpose of this use of personal information? Is it an approved use?
- Data minimization: Do I need all of this personal information for what I’m trying to do?
- Accuracy: Is this information accurate? Does it need updating?
- Storage limitation: Do I still need this information? Do I have access to any information that I don’t need any more? Are there any unnecessary duplicates of this information?
- Integrity and confidentiality (security): Is the data adequately protected from unauthorised use? Have I taken appropriate and proportionate measures?
- Accountability: How can you be sure of the above? What happens if things go wrong? Who is responsible for what?