Planning before acting is key to handle GDPR compliance
If you have not yet heard anything about GDPR (acronym for General Data Protection Regulation), it's a new regulation (effective from May 2018) regarding your business handling data about individuals.
At a recent networking event, I met Padraig, the Head of IT of a 25 staff SME. They process on-line and off-line personal data. They operate from 3 locations. I was telling him about our forthcoming workshops on GDPR. He told me they were on top of GDPR, everything was under control: one of their new board member has strong background in handling GDPR and under his guidance, they have appointed an expert consultant.
I was really impressed, until Padraig mentioned he could not understand why the Head of Marketing was unhappy after the IT team had sent an email to their 5,000+ mailing list to ask them to confirm database opt-in.
He admitted that the Head of Marketing wasn't getting GDPR and that politics was better understood than Data Privacy. The CEO did not seem to care much.
This SME has a board member who believes he understands GDPR, hired a expert who believes he also understands it, and an IT manager who believes they are on top of it. Yet, they are making a complete mess of it.
At this stage of reading, you are probably starting to realise the obvious: Padraig, the poor IT manager, is handling one system in complete isolation. He is missing several key ones that are far more sensitive, and that contain shared data. They will probably have to send another email to the same individuals by the time they realise.
In addition, he let it slip they have a cluster of servers on the cloud with 20,000 client records. The company that originally built it does not support it any more, as the original developers are gone and haven't left documentation. The supplier quoted them 11 days (at €700 per day) to install an SSL certificate (to encrypt the data between the browser and the server). From what he described, I wonder how they would handle a request for access even within the 1 month time allocation. Don't even ask about responding to a breach within 3 days. They have no plan to replace it.
Between the beginning of August 2017 and May 2018, here is how they should go about it:
- Senior management (CEO and first level) need to realise that there is a lot at stake. Lack of compliance will cost them reputation and financial damage. Hiring a legal firm with expertise should convince them quickly, especially when they hear about the Data Commissioner's new rights.
- Once they understand that GDPR is here to stay, they need to find a proper data privacy consultant to guide them through the journey. They will need a specialised legal firm too.
- The next task will be to initiate a comprehensive audit of data processes: paper and IT, internal and external. It will show who has access to the data, and it will highlight threats.
- Board needs to understand, even if they don't want to.
- Then they need to plan and assign priorities. The sales manager won't be too happy to hear his developments will need to be postponed.
- They will need to find budget to make systems to comply and cover legal fees.
- They will not have completed everything by May 2018, but should the Data Commissioner pay a visit, they'll be able to demonstrate their preparation in an organised manner.
The French and the Irish have a strong common agriculture culture. So, I will conclude with the French expression: "il ne faut pas mettre la charrue avant les bœufs" (literally translated as "don't put the plough before the ox") more commonly translated as "don't put the cart before the horse".
I guess it comforts me that running our workshops could prevent other SMEs making the same mistakes.
We understand SMEs, and we have been handling data for a long time. Over the years, we've had several instances when we reported to clients that there were attempts to do sql injections and other funky stuff to their environments, and we gave them files containing the details for them to persue legally. This is only security: privacy is one level above.
Our workshops cost €295 for a half day workshop. Expensive compared to all the free talks you can attend on GDPR. We value our experience and the time we spend to explain what you have to do. Our workshops are not just talks about GDPR and the threat, we give a practical hands-on approach to make "privacy by design" the way your business will operate.
You can reach me on +353 1 9059010 (Eire/UK) +32 2 808 02 08 (FR/BE).
Facebook: www.facebook.com/wandsoft (we need more likes: hint hint)
PS: the name has been changed for obvious reasons, but I verified the facts and it is -sadly- a true story.
Chief Innovator - Wandsoft