It might seem like things have gone quiet on the General Data Protection Regulation (GDPR) front since 25th May 2018 but don’t be fooled – there are many hazards of non-compliance with GDPR out there just waiting to trip you up.
In the last few weeks we have heard almost daily reports of organisations from the Police to retailers and service providers being fined for non-compliance with data protection legislation. We look at three hazards of the GDPR legislation which could trip you up:
A subject request could come in at any time following the introduction of the GDPR and from any direction. An employee could ask for a copy of all the personal data you hold on them – and remember this could include all images you have of them as well as documents and records. A former customer could ask you to delete all personal data you have collected on them. A supplier could ask you to correct the misspelling of their surname. Would you be able to confidently deal with and respond to the request within the 30 day period required by the GDPR?
A data breach can be as simple as emailing the wrong person, leaving a document on the train and losing a phone or more complex, like falling for a phishing email or being subject to hacking. Do your employees know how to spot a data breach and what to do if there is one? With only 72 hours to report a serious breach to the regulator, the Information Commissioners Office (ICO), you need to be confident that your staff have been trained to spot and react to a breach, and that you have the right systems in place to deal with these promptly.
Complaints to the ICO
All it takes is for one disgruntled former employee or customer or even a neighbour or competitor to raise questions about your compliance and complain to the regulator. It doesn’t take five minutes for anyone to check whether you have a GDPR compliant privacy notice on your website or whether you have paid your data controller fee to the ICO. But even if you have those outward facing steps in place, would your approach to GDPR compliance withstand a probe by the regulator?
Despite what you would think from the scaremongering bandied around pre 25th May, the ICO isn’t aggressively scouring the UK to find organisations that aren’t GDPR compliant in order to fine them the maximum penalty of 4% of their annual global turnover. At the same time, if your organisation is flagged to them, the likelihood and severity of a fine will be dependent, in part, on your ability to demonstrate the steps you have taken to be GDPR compliant. Could your business survive the financial and reputational impacts of a data breach or compliance failure?
To ensure you have the right systems, procedures, policies and training in place, subscribe to the secure online Astrid platform today. Receive all the tools and guidance you need to become and remain compliant, and the evidence you need to demonstrate that compliance.
Protect your business - become and remain GDPR compliant with Astrid