Earlier in the year, the General Data Protection Regulation was deployed, requiring companies to change the way they handled data.
Compliance Compendium chief business development officer Gareth Gadd believes that a lot of these companies saw 25th May as the finish line, when in fact it was just the starting block. This means that as the ICO becomes more sophisticated and gets to terms with the new legislation there will be a lot of smaller firms receiving fines.
Gadd said, “If you are a medium-sized company and lose access to your data for 24 hours, it can affect your company’s performance for three months. If you lose your data for 48 hours it can put you out of business. In the same way, the data breeches and some aspects of the GDPR legislation can severely impact a business if they get fined.
“Before a lot of the fines were manageable for a lot of companies, but now they have the ability basically put companies out of business, if not immediately, over time because it affects your capital.”
One of the big issues is companies not thinking that they are ‘big enough’ or need to comply with the legislation. A misunderstanding of all the necessary steps is also a key problems facing companies, such as conducting data impact privacy assessments and when these need.
Compliance Compendium, a cloud-based application to help companies comply with GDPR, has provided details to help enterprises understand the legislation better.
Compliance Compendium: The General Data Protection Regulation (GDPR) came into effect during May 2018. The focus of the GDPR is on proper data handling and management. But why involve risk management in the picture? And why the need for assessments and all those things?
RISK MANAGEMENT
Risk Management broken down to the basics, is the identification of current and future risks or hazards that could affect your company or the projects it is working on. The aim here is also to identify possible solutions or mitigating factors for these.
One of the requirements of the GDPR is that Data Protection Impact Assessments (DPIA) be conducted regularly. So regularly in fact, that it has to be done before each and every big project.
WHAT IS A DPIA?
The ICO provides checklists and guidelines that can be used when conducting these assessments. Companies are also allowed to draft their own templates based on the above for guidance.
The whole purpose behind the DPIA can be summarized as follows:
- A detailed summary of the scope and purpose of the project – specifically detailing what, why and how data will be collected and for what reason and what it will be used for.
- What will be the risks involved to the individual upon collection and utilization of their information?
- Are there any methods in place to alleviate / prevent those risks?
- Scaled, how high is the risk profile?
In cases of high risk projects, the ICO body of the UK needs to be informed for them to do a final evaluation and assessment on the DPIA.
One DPIA can also be used for a few inter-linking/ overlapping projects, or by multiple role players working on the same project.
A Data Protection Officer (DPO) is a valuable human resource tool for any company to have. They know the GDPR off by heart and will be able to assist with the DPIA’s.
TO PUBLISH / NOT TO PUBLISH?
For high risk DIA’s, the DPIA also needs to be published. But not all DPIA’s need to be published. Some people advocate publishing more. This will prove that your company is both compliant and transparent. You don’t even need to publish everything, summarized versions are also acceptable.
ALL THE JARGON ASIDE…
“I just started my company and know the new legislation and regulations but am very unsure of how to do my first DPIA”. A wonderful fountain of knowledge and advice for the everyman can be found at our company website on Compliance Compendium. Our main aim and focus is to provide assistance to all sized companies and NGO’s, both in the UK and worldwide.
We have offices in the UK itself as well as in India and come with a very competent staff complement. Our services and products are affordable, focusing rather on regulation and compliance assistance and training rather than making a quick buck. Find us at ComplianceCompendium
IN CONCLUSION
All these new laws and regulations can feel like an unclimbable mountain if you take a first glance at it. But the golden thread running through them all is the protection of the data of the individual citizen by companies within the UK as well as those doing business with citizens of the UK.
If you follow the regulations and work on the advice of Compliance Compendium, your company will be open and transparent to the public. Your company will also portray the fact that it has the best interests and safety of the individual in mind through everything.
I hope this article has been useful. Please feel free to leave any comments or suggestions for future improvements.
Copyright © 2018 RegTech Analyst
