Keith Ridgeway offers FMs a checklist to ready themselves for the new GDPR regulations
08 May 2018 | Keith Ridgeway
What GDPR is and how it applies to FMs
The General Data Protection Regulations (GDPR) updates and replaces the existing Data Protection Act (DPA). It ensures that any organisation that controls or processes personal data (i.e. data that can be traced back to a 'data subject' who is a living person) is applying data protection principles, and can demonstrate this. Personal data can be either commercial or private.
So if you hold personal information on employees (i.e. for payroll purposes), contact information for your clients, or indeed any 'personal data', then GDPR will apply to you.
The Information Commissioner's Office (ICO) has released resources to help businesses understand GDPR and implement measures to align to their requirements.
Areas of FM most affected by GDPR
These will be those departments that collect and process information identifiers of staff, customers, suppliers, contractors and members of the public. This includes a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
My field engineers and security staff are paper-based
GDPR does not distinguish between hard copy personal data or soft copy (electronic) personal data.
My staff and customers are not in the UK
Even if your customers are not in the UK it is likely that you still employ staff and hold HR information on these staff in the UK. GDPR still applies.
Will all my employees need to know about GDPR?
It is vital that all staff are made aware of GDPR and their responsibilities for data protection in your organisation. Even with the most stringent automated controls in place 'people' will always be your weakest link (and greatest risk) in terms of data protection. You must make sure your GDPR awareness campaign is being planned now to guarantee that your staff understand:
- -The requirements of GDPR;
- -Your expectations as an employer;
- -Controls and processes in place to be adhered to;
- -How to recognise and report a data breach; and
- -Who to speak to regarding data protection.
What is a personal data breach and what action must be taken in its wake?
This is defined in the GDPR as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, transmitted, stored or otherwise processed".
This covers a wide range of scenarios to include, for example, accidental loss or theft of a mobile device containing personal data, unauthorised disclosure of personal data as a result of hacking or phishing, unauthorised access to personal data by staff or suppliers and so on.
Notification of breaches to the authorities (CIO) is now mandatory and must be done within 72 hours of the breach being known.
What if my company does not comply?
Under the GDPR, there are tiers of fines that can be imposed depending on the severity of breach. The worst-case scenario for fines is 4 per cent of global turnover or 17 million - whichever is the greater.
Not only are fines imposed, but the ICO names and shames businesses in breach.
I'm struggling to meet the 25 May deadline. Where do I start?
Carry out GDPR awareness training for all staff. Undertake a Privacy Impact Assessment (PIA) as this will identify the five 'W's': 'What, Why, Who, When and Where' for personal data within your business.
This will also help you to focus on all the potential personal data that may be controlled or processed within your organisation. From this point, you can decide on what risks you may have and the controls to address these risks.
A PIA can reduce the risks of harm to individuals through the misuse of their personal data. It can also help you to design better processes for handling personal data.
Keith Ridgeway is a business assurance management systems auditor who prepares businesses for GDPR compliance