IoD Warns of GDPR Knowledge Deficit

The recent report from the Institute of Directors that nearly a third (30%) of UK business leaders have never heard of the GDPR, chimes my thoughts in a recent blog 5 Steps to prepare for GDPR I wrote for the IoD.

The good news is that those senior executives that are aware of the new regulation seem to progress well on compliance, according to new IoD research.

The study of nearly 900 IoD members reveals that 40% didn’t know if the GDPR would affect their business. As the report affirms, it is a major concern considering the new data protection law will touch almost every public and private sector organization in Europe and beyond.

If there appears to be confusion at senior management levels within organisations that may be compounded by a misunderstanding of the impact of Brexit, which has cropped up in conversations I have had with directors.

I still encounter senior people who believe that with Brexit, they don’t really need to comply with the GDPR, as it’s an EU requirement. As I have outlined previously, that is very much not the case. The government has confirmed that the UK Data Protection Bill (which includes the requirements for the GDPR) will proceed into law, so all UK companies need to be compliant for the May 25th, 2018 time frame.

Meanwhile, half of those surveyed by the IoD said they haven’t yet discussed GDPR compliance arrangements with partners or vendors with whom they share data.

This is a potentially serious oversight in light of the fact that third parties are often an organization’s weakest link when it comes to data protection.

However, of those that understand the regulation, two-thirds (66%) said they are either “very” or “somewhat” confident they fully understand how it will affect the running of their business. Plus, 86% claimed they are “very” or “somewhat” confident of being fully compliant by the May 25, 2018, deadline.

The report is particularly concerning in light of the hacking news this week that the Financial Conduct Authority is investigating the circumstances surrounding a cybersecurity incident that led to the loss of U.K. customer data held by Equifax Ltd on the servers of its U.S. parent."

The announcement follows a letter from Nicky Morgan, chair of the House of Commons' Treasury Committee to the watchdog, asking if Equifax had violated the terms of its license to operate in the country and whether the regulator had the power to compel the company to provide compensation to UK consumers.

No matter what their business is, every UK and EU company is likely to hold some Personal Data (if only for its employees), so in readiness, for the GDPR they should follow the below steps as a minimum:

1. Understand Your Data

Know and understand what Personal Data your organisation collects.

2. Create your data purpose(s)

If you already have a data purpose, then ensure that it is updated and appropriate for use for the GDPR.

3. Ensure consent

Ensure that you are obtaining the Data Subject’s consent to use their Personal Data.

4. Support the data subject’s rights

Assess your business processes and the functionality of your computer systems to be able to support the Data Subject's rights within the time frames dictated by the GDPR.

5. Create an incident response plan

Have an Incident Response Plan that can be followed to ensure that your organisation does not have to establish the process whilst dealing with an incident.

I have been talking directly to the IoD in recent months about the impact of GDPR on UK businesses and further afield. In fact, I was recently asked to chair a roundtable on the subject that was very well received.

If you are a member of the IoD and would like to find out more, please contact me at darren.wray@fifthstep.com You might want to come to our next GDPR roundtable.

Meanwhile, my recently completed book The Little Book of GDPR is available in paperback and e-book formats from your local Amazon store, or from the following link https://www.amazon.co.uk/Little-Book-GDPR-Getting-Compliance/dp/1522021140