The General Data Protection Regulation (GDPR) is a new set of laws that help protect the privacy and data of European Union citizens. The laws come into force on 25th May 2018 and will be adopted by the UK despite Brexit so they can’t be ignored.
The laws affect every business including yours and ours. There are a number of things we all need to get done and what we’re describing here is the approach we’ve taken. You may want to take the same approach and tailor it to your specific needs but you should seek professional advice and help.
We’ve trawled through the regulation and the oodles of commentary and then applied some common sense to come up with the following:
Headline things we all need to do:
Get explicitpermission from individuals for holding their information and how you use it. That means you need to tell individuals what information your collecting, why you're doing it and how you use it. You then need them to record that they’ve agreed.
Adopt policies and procedures that make sure you are protecting the privacy of individuals and reporting failings to the Information Commissioner’s Office (ICO) in time. We started with templates and once finalised, started a process of educating our team. There’s no point in just having them if no one knows about them or follows them!
Appoint a Data Protection Officer (DPO). If you think of it as the person the ICO will throw in jail if things go badly, you’ll realise that this isn’t just a title. The person needs ongoing training and a seat at the management table to make sure that you’re always obeying the law, even as it changes.
None of the above should be a surprise.
Having dealt with all of the above there’s still a bottom line risk that getting it wrong may cost you money – the penalties for breaking the laws can be a percentage of turnover – now that sharpens the mind! Like you, we're not keen to pay fines, so set ourselves the simple challenge of reduce the risk of this happening.
Identify the biggest risks
The biggest risks in your business are loss of information and misuse of information. In fact, one can beget the other so they’re inextricably linked.
The other risk to think about is if something goes wrong, can you pin it on someone? Not a very friendly way of putting it, but trying to answer the question will take you into important areas like security. You will also need to answer this question for each of the biggest risks you identify.
Reducing the risk of losing information
Ask yourself the following simple questions:
Are you collecting more information than you need? Where you are, you might either stopped collecting it or make it optional i.e. let clients decide.
How might information get lost? Looked at all the places that this might happen and close the gap or put in place a procedure to test the gap at regular intervals.
Reducing the risk of misusing information
Ask yourself the following simple questions:
What information could be misused? Interestingly enough, its combinations of information that are needed for misuse – a fraudster needs more than just a first name to get up to no good! We worked out some basic combinations and then tried our “do we need it” tests.
Who might misuse information? Misuse is something that could happen inside your office so take a look at the different jobs that your team does, what information they might come across and apply a “do they need it” test.
Pinning it on someone
Well, if things go wrong you need a trail so that you can tell the impacted individual and the ICO what was lost, when it was lost and who (or what) was responsible. Think about how you would work that out. A couple of scenarios covering each of the biggest risks you've identified will give you what you need.
It's not all about software!
Some of the biggest risks in your business are nothing to do with software, although technology can help reduce them. You need to consider physical security and protection as well. What might a fraudster be able to do if they were able to obtain a paper tax return from your office? What information would they be able to get about the taxpayer? Is it enough for them to impersonate the taxpayer?
The fact is that the physical security of your office and your client papers is where you may have significant vulnerabilities. Having identified them, you may decide that it's finally time to move to a paperless future... and the investment may be worthwhile if the fine might be a percentage of your annual fee income.
It's easy to be bamboozled by all of the public commentary but applying a common sense approach to risk will make it easier to eat the GDPR cake. Slice it up and tackle each one in turn. But most importantly, don't be misled into thinking that software and technology will deliver your GDPR compliance. It won't. You have to.
Emanur is a former management accountant turned Chief Technology Officer. After 20 years working his technology and accounting skills in investment banking he left his role as a CTO at The London Stock Exchange Group to found onkho. Emanur pushes the business' strategy and execution and occasionally opines on what he thinks is interesting.