Phew, you got through the 25th of May and the roof hasn’t fallen in yet – horay!
You’ve got your shiny new privacy policy on the website and your email marketing list might have shrunk by 80% but at least your emailing costs are going to be lower, so that’s a win win (well a lose win anyway).
But not so fast, GDPR wasn’t just for Christmas, turns out that just saying things in a policy statement won’t be enough, you have to actually do it!
Here are some quick observations to help your thinking on GDPR:
- It isn’t just the website that’s affected, it’s all you internal systems, PC’s, Servers, Backups – even your paper records
- Have you registered yet with the ICO? – just about every company will need to now
- No-one can say it won’t affect me, even your boss who said he’d heard from a bloke at the golf club that you don’t have to do anything
- Compliance isn’t hard, it’s just difficult and never ending!
- Remember even an IP number is “personal data”
The most important thing to think about is that you need to have audited your exposure and risks and documented what you are doing to mitigate them. If things go bad, the 7th principal of the regulations is “Accountability and liability” – you need to be able to demonstrate compliance and the steps you have taken to mitigate any risks.
You also need to think about the data requests and how you will respond to them, and the removal requests to make sure the right to be forgotten can be carried out easily and quickly.
Things change, you might move hosts, get a new server or start using Cloud based services. Therefore you will need to keep revisiting your list of data processors and make sure you add new ones to it.
The other lesson is to keep an eye on things that you stop doing, that after a project is over it is closed down properly. This might be if a client stops using you or if a project or campaign has finished. In one of the first large fines the University of Greenwich is facing a fine of £120,000 for a breach in 2016. There are more details here but in a nutshell a microsite built for a conference in 2004 contained personal data and had been left available to the internet. It was compromised in 2013 and then in 2016 it was attacked by mulitple attackers and the data was stolen and posted online.
This should be a wake up call to many as it is very easy to have an out of date instance, database, spreadsheet or website running or stored somewhere that you’ve forgotten about and which isn’t getting patched – and that could be the back door that the thieves are looking for.
So, ‘keep em peeled’ as we almost never used to say, and maintain a regular GDPR review and audit.