A year on from the introduction of GDPR and after the flurry of privacy notices, are businesses confident with their GDPR compliance?
TES reported recently that four in five schools believe fines for breaching new data protection regulations would ‘significantly impact’ them but that only half of schools and colleges were fully compliant. Talking to a number of senior executives recently it would appear these statistics are not reserved exclusively for schools
TES also reports that in a survey of 156 schools 52 per cent believed they were not fully compliant with GDPR and 46% highlighted security awareness as one of its biggest challenges.
So a year on, after many organisations have been encouraged to spend large fees to become GDPR compliant before the May 2108 deadline, there has been much comparison made between GDPR and the Millenium bug. (Computer programmers were concerned that computers would not recognise the 00 in the year 2000. It was feared that this would impact interest calculations etc by winding them back 100 years and became a a critical component of many budgets in the period before 31 December 1999).
GDPR didn’t, however, just come and go like the Millennium bug once the date had moved on. It has now become part of our every day business lives in much the same way that health and safety has. It is still one of the things, however, that keep senior management awake at night.
In the same way as health and safety, if we get GDPR wrong, or don’t maintain it correctly, our businesses could be subject to large fines, so it is important to know what we should be regularly doing.
Taking time out as a board, as part of overall governance, and reviewing the personal data held is a great start. Re-evaluating the way that data is being treated and protected – and not delegating responsibility for this. Asking questions such as “how do I know” what is in place? The business is looking for the high level challenge from the board to drive this through the organisation. Make sure that this is on the agenda at each board meeting. Regularly review the following:
- Incidents or near misses.
- Privacy risks
- Data Protection Impact Assessments for new projects requiring approval and sign off
- Subject access requests
Accountability is a key principle and being able to demonstrate what is in place and that it is being continually reviewed is all part of this. As part of this process, making sure that continual reviews are being documented will provide evidence that this is in place.
If you are still not sure where to start, grab half an hour and a cup of coffee with us and we will be very happy to share knowledge and good practice in manageable bite size chunks.