As many of you will know I have a fondness for the saying that goes something like this: “Insanity is doing the same thing over and over and expecting different results.”
Putting aside the debate as to whether it was Albert Einstein who first said this; the statement, in itself, makes a lot of sense; after all, only a mad person would keep doing the same thing and expecting a different result. Fill up a bucket with a hole in it, and you can expect the contents to soon be dispersed all over your new Gucci loafers. Do it as many times as you like, all you will get is a pair of ruined shoes!
Let me then, apply this logic to the General Data Protection Regime.
If the definition of insanity is doing the same thing over and over, but expecting different results, what have we done differently in our approach to Data Protection?
On my travels I repeatedly hear GDPR being referred to as the ‘millennium bug’; the inference being that it was much ado about nothing and in the end the status quo has resumed.
Interestingly, the ICO, passed comment on this type of mentality towards data protection regulation; they said that “…GDPR doesn’t end on 25th May 2018 – It requires ongoing effort.”
To the ICO, GDPR is “…an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.”
Ok, so GDPR is not something that should forgotten. It requires regular, constant attention.
In that case, allow me to ask a somewhat impertinent question – What have you done since May 25th?
By now you should have:
- Read and understood the associated guidance on the ICO, FCA and TRM websites.
- Conducted your data audit.
- Recorded a list of all third parties with whom you share data.
- Established your “lawful basis” for processing customer data.
- Reviewed and updated (or written) your data protection policy.
- Reviewed how you obtain customer consent and it should be suitably robust to ensure that clients can be contacted in a post-GDPR world.
- Segmented your clients into those who can and cannot be contacted and the means by which you may communicate with them.
- A clearly defined Subject Access Request (SAR) process.
- Put in place suitable protection for electronic data storage and communication. You should be using password protection and encryption as a minimum.
- A data retention policy.
- Trained all staff on data protection requirements and this should be documented on their T&C file.
- Suitable procedures to detect, investigate and report personal data breaches.
- Established that all lead providers have obtained sufficient permission to allow you to pass on the details of the client.
Since GDPR came in to force at the end of May 2018, we have already been notified of three data breaches.
The key points taken from these breaches are:
- Customers are well aware of GDPR, the associated implications and their rights. They are looking at businesses and deciding whether they wish to work with individuals or firms depending on their approach to data protection.
- Customers are looking to report failings of firms or individuals where data is not suitably stored or used. We have had a couple of reports about customer data not being sent through suitably secure means.
- Keep your electronic hardware safe – theft can result in data loss and is therefore reportable to the ICO.
- Sharing customer data, even with the Network, or a Provider, without having first obtained permission to do so, can result in a data breach and a complaint being reported to the ICO.
So GDPR is certainly not like the ‘millennium bug’ – it is here to stay and needs to be taken very seriously.
So what about that definition of insanity statement? Well, allow me to urge you to think carefully about the data you hold and how you use it or you might just find that carrying on, without making the necessary changes, might just see the ‘men in white coats’ coming for you.