We are now more than 2 months post “GDPR judgement day” that quite frankly, felt something of a millennium bug; business did not self-combust, nobody was incarcerated and the plethora of consent emails received leading up to the 25th May came and passed with nothing more than a sense of relief amongst the confusion. For many, the compliance journey comprised of updating the privacy notice on their website and checking the anti-virus subscription was up to date should the server get hacked, job done.
Well, not quite.
Consider this; you’ve recently lost a member of staff, shortly after their departure an email comes into the organisation titled “Subject Access Request” from a private email address, purporting to be them and asking for not only their personnel file but for every email to, from, and about them. You then recall that member of staff was employed for 5 years and this starts to present some issues. Firstly, ask yourself:
The time taken to gather personal data requested can quickly become time consuming and complex, especially if you are unsure of where in the organisation personal data resides; on servers, on colleague’s laptops or physical copies perhaps in filing cabinets or archives?
Consider the motives for this individual; do they just have a healthy curiosity or is there another reason? Whilst this situation is no doubt turbulent, it is where GDPR is further reaching as it causes organisations to re-appraise their processes, acting as a catalyst to improve efficiency, one of many notable benefits.
UK wide, data subjects are starting to wake up to their newly found rights, fuelled by a current media interest in the mass collection and processing of personal data by organisations who harvest it for their own spurious interests.
In the South West peninsula, where some feel out of arms reach from the ICO, subject’s access requests are just one area of the new regulation causing organisations a considerable headache. There is also a fallacy that GDPR is predominantly based on how organisations handle customers personal data. The threat can be both internal as well as external, like the ex-employee mentioned above.
GDPR is also about managing risk. Not knowing the personal data your organisation processes, its lawful basis for doing so, where it is and what you do with it exposes you to falling foul of the regulation. Failing to recognise risks has proven to be the undoing of many businesses, so not knowing where you are on the compliance journey exposes your organisation to the risk of fines, sanctions and reputational damage you’ve spent years building, of which reputation is arguably the most important.
Sampson Hall have developed a GDPR strategic audit that’s designed to give organisations a snapshot of where they currently sit on compliance now that the regulation can be enforced. Contact us to discuss how we can support you in your GDPR journey and fulfil the real opportunities GDPR presents.