May 2018



By Steve Songalia

If you’re anything like me you have been inundated with emails, phone calls and invitations to seminars on GDPR – perhaps to the point of fatigue…

GDPR stands for The General Data Protection Regulation and comes into force on the 25th May 2018. It’s not a revolution it’s an evolution of an existing standard – the Data Protection Act 1998 which is based on the Data Protection Directive (DRD) which is 20 years old. That fact alone should probably say to us that a revision and update was necessary when taking into account the changes in our world and the use of data over the past 20 years.

I have chosen my words carefully when saying data and not technology, of course we all utilise technology to store, move and use data, however the regulation is aimed at data not how it is held or transmitted so includes paper records and all forms of storage including film. It is easy to conclude that the GDPR is primarily the concerns of the technologists within your business – it isn’t it is an Executive level responsibility shared by all the employees within a business.

It is a large piece of legislation even by lawmakers standards, it runs to over 200 pages. Some key areas that it contains are:

  • Stricter Consent Provisions
  • Detailed descriptions of categories of data
  • Requires Data Protection by Design
  • New Regulatory framework
  • Administrative fines

Much has been made of the fine system for breaches perhaps too much when the aim is to respect data sovereignty in the 21st Century and ensure that the regulatory framework recognises how we work today.

In fact Elizabeth Denham the UK Information Commissioner is on record as stating in her blog on August 9th 2017 that –

“This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point. And that concerns me.”

This infographic from the ICO explains succinctly 12 steps that you can take to be GDPR ready:

12 steps

GDPR is an Executive level responsibility and initiatives to ensure compliance should be led by the board and be open and transparent.

Depending on the size of your business you might have access to internal resources such as existing process design teams or quality teams who will have a thorough knowledge of creating procedures that ensure your business is GDPR ready. If you are a medium sized business then a good starting point is to appoint an external company to complete an information audit and from there you can plan a programme that ensures you build processes that comply

Whatever strategy you adopt, communication will be key and film is often the most effective way of communicating a message that is complex and can require a change of behaviour. In this case, the understanding by everyone in the business that data sovereignty is their responsibility.

Perhaps the last word should go to Elizabeth Denham:  ‘Getting it right means not only following the letter of the law, but taking people with us, demonstrating to customers that you’re taking your responsibilities with their data seriously. We want to hold organisations up as great examples of how privacy and technology can work for consumers.