Don’t Panic – Pier workshop demystifies GDPR
GDPR (General Data Protection regulations) – You have 30 days to comply! – Could have been a dramatic title to this workshop held on Hastings Pier on 25th April, describing the tectonic, perhaps even seismic shift in Data Protection compliance due to come into force on the 25th May. Andrew Everest reports.
GDPR workshop given by Thepeoplehub, Pearce marketing, Beaming and Green Insurance
In a nutshell (an expansive nutshell) GDPR is the replacement for the European Union’s previous Data Protection Directive updating, merging and replacing existing Data Protection and Personal Privacy Legislation.
What GDPR brings is a shift to a situation where the privacy, rights and freedoms of the individual are paramount. Under its rules, explicit consent must be sought before personal data can be collected, used or moved. Collectors and keepers must also be explicit about what purposes they will use it for and for how long, as well as with whom, if anybody, they will share it. Responsibility falls to Data Controllers rather than subjects.
Presenting obligations to report data and personal information breaches within 72 hours and the threat of punitive fines for transgression, it was little wonder that the workshop was packed to capacity.
With the clock ticking, local qualified practitioners and advisory businesses Pearce Marketing, Thepeoplehub, Beaming and Green Insurance had teamed up to give a 3-hour workshop for concerned businesses. This provided comprehensive but succinct advice, with the event provided at the expense of those presenting it.
Thankfully, this workshop didn’t paint a doomsday scenario for which the speakers offered a magic bullet, but a sensible toolkit for approaching this important issue and legal obligation.
If GDPR means nothing to you, the slew of emails arriving from various quarters asking you to reaffirm subscriptions may have alerted you. This sudden interest in your continued consent marks the start of the obligations the legislation brings.
Four little letters, quite a big subject. The speakers digestibly described the coming environment, and what you should be doing about it from a business perspective.
First up, Nicky Histed of peoplehubhr, who gave a walkthrough of what is rapidly approaching. In this she described the fundamentals of the new regulations. This boils down to only keeping data for which you have:
• A legitimate reason for collecting – documented and justified –Businesses
• For contractual necessity – Payroll and similar
• A legal obligation – For legal reasons (Law firms etc)
• To fulfil public tasks – For local and other authorities
• Vital interest – Mainly applicable to healthcare
• Criminal offence
• Special Category (not covered on the day)
It also presents an obligation for data ‘collectors’ to prove they have taken steps to protect and actively prevent misuse of individuals’ and organisations’ information. To this end, and to meet the requirements of the legislation, as Nicky outlined, they will need to have a Data Controller or Data Administrator responsible and accountable for all matters pertaining to GDPR depending on size of business.
Nicky also outlined the higher profile of the Information Commissioner’s Office, hitherto more of a simple presence on the data landscape. The Office will now ‘police’ the legislation. The message here was the onus is to ‘fess up’ as soon as possible rather than attempt to ‘cover-up’ breaches.
Adequate staff training, ensuring suppliers and partners also comply and robust procedures were also key areas addressed.
Brexit won’t save you as UK legislation in this area will closely follow EU Law post-Brexit
With the unenviable task of making IT Security sound interesting came Sonia Blizzard, Managing Director of Beaming. She came with an avalanche (Sorry Sonia, couldn’t resist) of information delivered succinctly on the technical aspects of compliance and data security in general.
The key points she outlined were neatly summed up in an acronym, CIA.
• Confidentiality – Data and personal information must be kept securely
• Integrity – Who sees what and why, if at all.
• Availability – Keeping back-ups and ensuring data is available for inspection and legal use
Emma Pearce of Pearce Marketing, gave a detailed overview of the practicalities that the regulations present for marketers and marketing communications. The key points here were:
• Gaining explicit consent for marketing communications – giving a withdrawable soft opt-in and recording that consent – no pre-filled tick boxes – and recording opt-outs
• Communications being targeted and proportionate
• Ensuring that your mailing list is clean and consented and avoiding using contacts for which you do not know the level or extent of consent, such as bought-in mailing lists
• Continue to conform with existing Privacy and Electronic Communication Regulations
Bringing the workshop to a close Glen Gillam of Green Insurance briefly addressed insurance and indemnity products discussing the fallout of a breach and punitive action.
While it is hard to cover all the nuances and implications of the legislation in a short article the speakers provided good pre-flight briefings as to what turbulence might occur and what corrective actions can be taken. Seek advice for your particular business. There’s more to consider than is covered here!
So, time to fasten your seatbelt and don your braces, and prepare for take-off into a new world of privacy and consent.
• To get information straight from the horse’s mouth, visit the Information Commissioner
We hope you have enjoyed reading this article from Hastings Independent. The future of this volunteer led, non-profit publication would be far more secure with the aid of a small donation. It only takes a minute and we would be very grateful.