The GDPR came into effect in the UK on 25th May 2018. And whilst you’d be forgiven for thinking that it’s taken a bit of a back seat in recent government proceedings, it has been confirmed and reiterated that the UK’s decision to leave the EU will not affect the GDPR.
So what is the GDPR and how was it meant to affect businesses?
The GDPR contains many requirements about how you collect, store, and use personal information. Information about your customers, partners, contractors and employees to name a few. This means not only how you identify and secure the personal data in your systems but also how you accommodate new transparency requirements, and how you detect and report personal data breaches.
The GDPR provides EU residents with control over their personal data through a set of “data subject rights”.
This includes the following rights:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling
What a number of organisations realised early on was that the GDPR was not exclusively an IT project, and because it was an update to the Data Protection Act (DPA) it touched upon many departments and processes. For example, the whole ‘privacy by design’ concept, making ‘data protection by design and by default’, implicated teams from customer service and even marketing.
How far have we come?
Despite advance warnings and the deadline having now passed by almost 8 months, many organisations have struggled with implementing GDPR-compliant processes and systems – indeed, many are still not even sure they are compliant. This is in part due to many legacy computer systems not having been designed to provide the security, privacy, auditing and reporting requirements this law brings. However, failure to comply with the regulations has severe penalties – up to 4% of global turnover in some cases. The fines so far are proof that the GDPR is a serious undertaking. And cases such as the Marriott and Starwood hotel group and even Google show that it has no signs of going away.
What can you still do?
The GDPR is a reality for all businesses that hold data about individuals. But a recent IT Governance report suggested that only 29% of organisations were fully compliant with GDPR.
If you haven’t overhauled your processes or are maybe concerned about it now being too late, then fret not, there are still things you can do to avoid the penalties – indeed, as long as you can prove that you’re taking an active stance to fix processes and systems, then you can avoid the iron fist!
Equally, the GDPR provides an opportunity to make sure your business is compliant with latest data regulations and to take advantage of the benefits of digital transformation. Many organisations are wrapping compliance process updates into wider digital programmes and seeing this time as an opportunity to ‘clean up’ databases and the like.
If you need help with these programmes or with specific tasks such as identifying affected datasets within SharePoint, then Equdos can help. Additionally, we can help set up the systems to enable you to carry out the new processes and put in the necessary controls to ensure that your data stored within SharePoint meets legal requirements within the General Data Protection Regulations.
If you’d like to find out more, then why not get in touch?