GDPR, Don't Make the Obvious Mistakes - Sam Glynn, Code in Motion
The General Data Protection Regulations (GDPR) will increase a businesses' obligation to manage how they collect, use and protect personal data responsibly. This law is rooted in strengthening the rights of the individual. Businesses will need to be fully transparent about how they are using and safeguarding personal data, and to be able to demonstrate accountability for their data processing activities. Ahead of the GDPR regulatory changes in May 2018, Sam Glynn, of Code In Motion, has shared the top 5 reasons for complaints to the Data Protection Commissioner.
GDPR, Don't Make the Obvious Mistakes
I recommend only attending GDPR events and briefings when you are confident the presenters know what they are talking about. Events that include presentations from the Data Protection Commissioner (ODPC) can be especially insightful, given they are the regulator in Ireland and the people you will have to answer to when things go wrong. At a recent presentation by the ODPC at an event run by the Association of Compliance Officers, they discussed the types of mistakes they see companies making every day.
The top 5 reasons for complaints to the ODPC in 2016:
- Not complying with an individual’s access rights (56% of all complaints)
Firms do not have clear procedures and policies for dealing with subject requests – e.g. Requests for information and copies of personal data. It is likely that more people will be exercising their access rights when GDPR removes the €6.35 administration fee that is currently allowed. Organisations will receive more requests and GDPR will reduce the time available to respond from 40 days to 1 calendar month. I’m not the only one who thinks this is going to be a serious problem for organisations in 2018.
- Unauthorised disclosure
Disclosure of an individual’s personal data to an unauthorised 3rd party. Many issues are currently caused by simple errors: Data sent to the wrong email address; two letters for two people put into one envelope.
- Electronic direct marketing
e.g. Sending emails to people without their consent; spam; unsolicited SMS. This is a very complex activity to get right and it’s governed by a range of laws and regulations (e.g. PECR / ePrivacy). It will only become more complex with the arrival of GDPR and the updated ePrivacy regulations.
- Unfair processing
Organisations are using the data they have collected for purposes to which the individuals did not agree. It all goes back to the basic test: Are you doing something that would surprise or concern a data subject?
- Failure to secure data
Failure to put even basic security measures in place – e.g. unencrypted laptops; lost USB sticks; lack of any staff policy to prohibit taking documents containing personal data out of the office.
My key message: Don't make it easy for the ODPC
Sam Glynn advises businesses on how to comply with GDPR. He holds a Professional Certificate in Data Protection from the Association of Compliance Officers in Ireland (ACOI), accredited through the Institute of Banking and UCD. He is also a Certified Information Privacy Practitioner (CIPP/E), accredited through the International Association of Privacy Practitioners (IAPP). Sam is not a legal advisor. But using his 20 years of experience helping businesses to implement change, he can show you how to make the pragmatic changes needed to comply with GDPR. For more about Sam Glynn visit Code In Motion Ltd