The internet is full of dire warnings about GDPR (EU General Data Protection Regulation). Non-compliance will be punished by heavy fines, they say: you’ve got a lot of work to do to reorganize all your data and mailing lists. You’d better pay a consultancy a large amount of money to help you, is the implied message.
How much of that is really true? And how much of it applies to you?
The answer, if you are a business employing fewer than 250 people and holding only standard data (such as a payroll), is: hardly any.
GDPR is really aimed at large corporates such as Yahoo, TalkTalk and O2, who have been careless with our data in the past, let hackers get their hands on it, and then not said anything about it for many months. The most recent example is Equifax, which was revealed in September 2017 to have lost 143 million customer records through a data hack four months earlier, in May. In fact, this has turned out to be their second breach – they suffered one in March too, and kept completely quiet about it.
It is companies like this, who have multiple failures and fail to inform the authorities or their customers, who will be paying the large fines.
If you’re a small organisation, especially one with good cyber-security and holding very little personal information about your customers, you’re highly unlikely to come to the attention of the regulators. The only exception is if your business model depends upon the regular processing of significant amounts of personal data. So, if you hold lots of consumer financial details, health records, or criminal records, for example, you should make sure you get specialist advice.
For everyone else, it’s a matter of:
So what you should be doing now is:
Keep only the data you need; look after it carefully; and ‘fess up immediately if you ever suffer a breach. Follow these three golden rules and you should never have cause to fear GDPR.
Ashley Ranwell is a passionate writer about business technology and worked with First Line IT in the research of this article.