Digital Leaders from businesses across the West Midlands met at Birmingham’s iCentrum Building on 19th June to discuss the impending changes to the Global Data Protection Regulations (GDPR).
Hosted by SCC, the event aimed to provoke the digital agenda within the West Midlands, whilst providing a forum for organisations to voice their concerns and opinions about the new GDPR regulations, with key speakers providing insight and support.
The discussion opened with a simple, but pertinent question most organisations are asking: Does this affect me?
The answer: Any company that has customers or employees will be affected by GDPR. The best case scenario is that your organisation is compliant and, as a result, will not be affected by the new regulations.
The discussion was led by CTO of SCC, Ian Sherratt, who explained that the main focus of GDPR is to control the collection; processing and management of Personally Identifiable Information (PII).
Ian Sherratt summarised PII as “Any information that could be used to identify, or imply an individual in a situation.”
Most businesses collect this information in its various forms, which incorporates everything from the names and addresses of individuals, to data which is less obviously identifiable, such as GPS data and web activity.
The group discussed an example of how PII is collected by police forces following major incidents. On average, the first nine people to arrive at the site of an incident will use their phones to record video. Some may choose to anonymously submit this as evidence to the police via the internet. From this, witness may be implicated or identified in various ways, as the police may have information relating to: the device they used to capture the footage; where the person was at the time the video was being recorded and the IP address of the device being used to upload the footage.
A key question raised was that of ownership. There was a degree of uncertainty surrounding who within an organisation is responsible for the data.
The short answer is that we are all responsible, with new roles emerging within some larger organisations such as “Data Management Officers”.
It was highlighted that, although there is a lot of fear and scaremongering around GDPR, the intended outcome isn’t to destroy companies, but is designed instead to help provide an understanding of what data your company holds and what it is being used for.
Increasingly in recent years, people are finding their data is being captured against their knowledge and without their consent. An example of this is the use of customised advertising on sites like Google, or Facebook, where personal information such as emails, web activity, or posts on social media are being scanned to identify key words which activate personalised marketing campaigns.
GDPR intends to create a larger focus on consent, with organisations being required to make it clear what information they intend to capture and giving detail of each and every purpose for which the data is intended to be used. Similarly, organisations will be required to make it simple for the data owner to withdraw their consent at any time.
Once the regulations are in place, organisations who experience a data breach will be required to contact the data subject within 72 hours to make them aware of what has happened.
The fines associated with noncompliance to GDPR are significant and this was a recurring concern throughout the session.
TalkTalk was recently fined £400,000 for a recent high-profile data breach. If this had occurred under the new GDPR guidelines, the figure would have been significantly higher, estimating a final sum of hundreds of millions. This is because fines will be based on a percentage of the organisation’s total income, in order to make the impact as damaging to small companies as large ones.
A key question that was discussed explored the idea that, considering most organisations are, realistically, noncompliant, as current law doesn’t expect them to be, initial policing of this will be difficult.
The group predicted that in the coming years, some fairly high profile companies will be made an example of in order to promote compliance.
Organisations will need to be seen to be demonstrating that they are at least taking a reasonable course of action to adhere to the new policies. This means that, to begin with at least, there should be some leniency for those who can show they have been taking steps to comply.
Another recurring concern was that most organisations seem to be unclear on what is required to become compliant. Ian Sherratt explained that the first step to compliance is a Data Discovery exercise, which highlights what data the organisation holds and what it uses it for.
Contrary to the common belief that it will be acceptable to hold data for up to 30 days, Ian Sherratt described how “all information is not created equal” and that the amount of time you can retain information for is dependent on how long it takes to processes it. Once the task of processing it has been completed, it must then be disposed of.
This will mean a huge cultural shift away from the common practise of keeping data ‘just in case’.
By the end of the discussion, it became apparent that although GDPR is a significant concern and will have a significant impact on organisations, there is support available for those intending to become compliant.
See the salon summary video: