Blog

Are You Really GDPR Compliant?

GDPR and the 25th May will always be linked as some sort of deadline day. If you didn’t achieve compliance by then, the world would come to an end.

But what did the 25th May really mean?

What is compliance? What should I have done and what should I do? Why did the world not end on 25th May? Perhaps, for the same reason that the world didn’t end with the threat of the millennium bug, better known as Y2K.

Everyone considered that now infamous date in May a deadline. It wasn’t, The EU GDPR had already been in law for two years at that point, just not enforced. Using words like ‘enforced’ tends to worry people and perhaps make them act. Unfortunately, this gave rise to a lot of mis-information around The GDPR and the sudden appearance of so-called experts offering advice and promising compliance well in fact they delivered confusion and to quote Mr. Trump. ‘fake news’. Much of the information was plainly and simply, wrong. In most cases, the material delivered fell well short in terms of quality and quantity leaving most businesses unaware of how to handle and record a data breach. In some cases, IT providers used GDPR as a lever to sell their technology, many stupidly claiming to be the ‘silver bullet’ for GDPR when in fact, given the breadth of the regulation, a single solution technical based remedy was impossible.

A client recently told me of their preventative measure to achieve compliance. Whilst they did bolster their security, they completely failed to achieve GDPR compliance. Their IT provider gave them advice, they followed this advice and spent lots of money with said provider. However, are IT providers the best place to seek GDPR guidance? One of the common myths the ICO has talked about is that GDPR is an “IT Problem’. It isn’t. Only 3% of The EU GDPR relates to information security so whilst IT can contribute to the process, they are not the answer.

So, is your IT provider the best place to seek help?

There are some who have taken courses in GDPR and have some sort of qualification in GDPR perhaps claiming to be a DPO or a Practitioner. Whilst these qualifications may seem impressive be aware of the solutions offered from you IT provider. I see too many cases where a client has been sold disproportionate levels of IT security solutions that were just not needed for compliance purposes. Other tales include a GDPR Compliant Printer which did amuse me somewhat. The important element here is that if they are truly offering a compliance solution which begins with a discovery phase and not by selling you a product or service then they might be able to help you. I strongly recommend taking up references and always talk to more than one company about your compliance.

The other sinners in this space are web site designers. Generally speaking, the creative folk are very god and will only offer a privacy policy but never claim to be delivering compliance. However, I often hear of ‘GDPR Compliant Web Sites’. It is businesses that are compliant, not web sites. Yes, your site should have a privacy policy but the contents of the privacy policy should be backed up by documented policies, procedures and recording mechanisms. In many cases they are not which makes the privacy policy worthless.

My client spent a lot of money on encryption. Now, I am not saying this is a bad idea, in fact, quite the opposite. However, to be told that this would make them GDPR Compliant is untrue and either dishonest or just ignorance by the provider. The bottom line for my client is that they have now turned to a full-service consultancy for help and we will provide that help to ensure that they have the policies and procedures in place to protect their client’s data and themselves from harm. We will work with them to create the GDPR culture they need to be truly complaint.

 

Recent Posts

Are You Really GDPR Compliant?

GDPR and the 25th May will always be linked as some sort of deadline day. If you didn’t achieve compliance by then, the world would come to an end. But […]

Is size important? The consequences of data breaches for all sizes of organisations

Data breaches can happen to any business. Incidents at large organisations – such as Dixons Carphone, Superdrug, BUPA and most recently BA, twice, all hit the headlines. This would give anyone the […]

Another two examples of email data breaches

Yet another example of an email using the CC (carbon copy) field instead of the BCC (blind carbon copy) field. This time, it was Premiership side West Ham United Football Club. The email was sent […]

Want to know more?

Find about more about becoming a Data Protection Franchise and help your local business community become GDPR compliant.

Contact Us

Copyright © My Data Protection Ltd 2018

Web Design by Figment