What’s different? It’s accredited!
This week SPOCE announce the launch of their new GDPR training and qualification. General Data Protection Regulation (GDPR) is the buzzword when it comes to data recently and if you or your organisation deals with personal data in any way, then you will be affected by the changes. So, what is it all about? Essentially GDPR regulation comes into play on 25th May 2018.
It has been put into place by the European Directive to strengthen and unify data protection laws within the European Union. It is basically a progression of the 1998 Data Protection laws. So, that is the good news. Because if you and your organisation have been closely adhering to the current laws, then there is a lot that you are already doing right in terms of GDPR.
What has changed though?
GDPR unifies current legislation across all EU countries. All countries within the EU that hold any form of personal data on anyone within the EU are now liable. Regulation is no longer simply down to national legislation. And Brexit is no get out clause either. We are still officially in the European Union and almost all organisations will be dealing with EU data in some form or another. This even includes people that you employ, not just your customers.
So, in a nutshell this is what’s new…
Personal data and its definition has changed. This includes a much broader spectrum of categories both digitally and offline. The definition expansions include IP addresses, photos, social media posts and even genetic information about a person such as their DNA. Individuals have new rights under this regulation…to be forgotten; to object; right to insist a breach is rectified; access to what is being held on them; that their data is moved from one organisation to another. This of course means that organisations need to be prepared, process driven and transparent.
Penalties: Show how seriously this needs to be taken. The current maximum penalty is £500k. The new maximum penalty under GDPR will be an ‘eye watering’ 20 million euros (or 4% of gross annual profit, whichever is the greater). This includes the fact that consumers can now claim compensation for data breaches under the new laws.
Governance: and an organisations commitment to it, is taken much more seriously. Any organisation with over 250 employees, or that ‘profiles’ more than 5,000 individual records each year, will be legally required to employ a Data Protection Officer.
Opt-in and consent; and how these have been laid out, will change dramatically. Organisations will no longer be allowed to prepopulate opt in boxes. Consent to use personal data must be opted ‘in’ directly from the consumer, who will receive clear notice of what their data is going to be used for. This includes a ban on complicated terms and conditions that do not provide full transparency about what will happen with the data.
Cultural changes: Organisations will need to ‘commit’ to the changes and not just give them lip service. The changes will need to be a cultural shift as much as anything. How is this done? By training their staff, creating awareness and having the correct audit trails of where data has been obtained and what it has been used for.
There is no soft launch for this. When GDPR goes live so do the penalties!
How do I get started?
• Establish whether you are a data processer, data controller or both, because your responsibilities will change depending on this.
• Establish what the personal data is that you hold and how you use it in line with the new changes.
• Establish your status quo as a controller or processor and do an audit of what needs to change under the new regulations.
• Refine your processes, so that you can react to a customers’ right to be forgotten or a data breach for example. Under the new rules, reaction times count. There is a 72-hour window to report a breach.
• Once you have established who in your organisation deals with personal data make sure that they are aware that the changes are coming.
• Make sure that your key stakeholders are also aware of what the changes are and what their role is in this as they are key to the cultural changes required. Cultural commitment starts at the top of the pyramid!
• Implement an awareness and training programme and make sure there is an ongoing audit system. Your people need to live the changes and not just give them lip service.
• If you want to really show that you and your organisation have given GDPR the serious attention that it needs then substantiate it with an accreditation programme.
SPOCE offer GDP awareness training from as little as £49 + VAT and £399 including exam.
We can offer this training as an e-Learning module or if you are booking multiple courses we can also arrange virtual classroom and traditional classroom events for your organisation.
If you would like to discuss this further with a member of our team please.
email firstname.lastname@example.org or call 01202 736 373