Are You Really GDPR Compliant?
GDPR and the 25th May will always be linked as some sort of deadline day. If you didn’t achieve compliance by then, the world would come to an end.
But what did the 25th May really mean?
What is compliance? What should I have done and what should I do? Why did the world not end on 25th May? Perhaps, for the same reason that the world didn’t end with the threat of the millennium bug, better known as Y2K.
Everyone considered that now infamous date in May a deadline. It wasn’t, The EU GDPR had already been in law for two years at that point, just not enforced. Using words like ‘enforced’ tends to worry people and perhaps make them act. Unfortunately, this gave rise to a lot of mis-information around The GDPR and the sudden appearance of so-called experts offering advice and promising compliance well in fact they delivered confusion and to quote Mr. Trump. ‘fake news’. Much of the information was plainly and simply, wrong. In most cases, the material delivered fell well short in terms of quality and quantity leaving most businesses unaware of how to handle and record a data breach. In some cases, IT providers used GDPR as a lever to sell their technology, many stupidly claiming to be the ‘silver bullet’ for GDPR when in fact, given the breadth of the regulation, a single solution technical based remedy was impossible.
A client recently told me of their preventative measure to achieve compliance. Whilst they did bolster their security, they completely failed to achieve GDPR compliance. Their IT provider gave them advice, they followed this advice and spent lots of money with said provider. However, are IT providers the best place to seek GDPR guidance? One of the common myths the ICO has talked about is that GDPR is an “IT Problem’. It isn’t. Only 3% of The EU GDPR relates to information security so whilst IT can contribute to the process, they are not the answer.
So, is your IT provider the best place to seek help?
There are some who have taken courses in GDPR and have some sort of qualification in GDPR perhaps claiming to be a DPO or a Practitioner. Whilst these qualifications may seem impressive be aware of the solutions offered from you IT provider. I see too many cases where a client has been sold disproportionate levels of IT security solutions that were just not needed for compliance purposes. Other tales include a GDPR Compliant Printer which did amuse me somewhat. The important element here is that if they are truly offering a compliance solution which begins with a discovery phase and not by selling you a product or service then they might be able to help you. I strongly recommend taking up references and always talk to more than one company about your compliance.
My client spent a lot of money on encryption. Now, I am not saying this is a bad idea, in fact, quite the opposite. However, to be told that this would make them GDPR Compliant is untrue and either dishonest or just ignorance by the provider. The bottom line for my client is that they have now turned to a full-service consultancy for help and we will provide that help to ensure that they have the policies and procedures in place to protect their client’s data and themselves from harm. We will work with them to create the GDPR culture they need to be truly complaint.
GDPR and the 25th May will always be linked as some sort of deadline day. If you didn’t achieve compliance by then, the world would come to an end. But […]
Data breaches can happen to any business. Incidents at large organisations – such as Dixons Carphone, Superdrug, BUPA and most recently BA, twice, all hit the headlines. This would give anyone the […]
Yet another example of an email using the CC (carbon copy) field instead of the BCC (blind carbon copy) field. This time, it was Premiership side West Ham United Football Club. The email was sent […]