GDPR_Tailored_PackagesWhat’s so hard about implementing changes to your business data protection policies and processes under GDPR? Surely once you update your privacy policy, email all your contacts about opting-in and check that the new data protection clause in your business contracts says ‘GDPR’ somewhere, that’s all there is to it. I sometimes hear business owners say, “I can even copy someone else’s policy and make it my own, surely one privacy policy will be very much like another.”

Hold on, before you rush off on a world tour to spend that £20m you’d been hanging onto in case of a fine from the ICO, you might want to stop and consider why the EU felt the need to plunge us all into a compliance nightmare. And how are the regulatory authorities likely to react to your plan with their now herculean strength to crush SMEs? Doing pretty much the same thing as before probably isn’t going to cut it.

Where are you on your journey to compliance?

The 25th May has come and gone, we’re all at various stages in our compliance programme. If you’re like the majority of SMEs, there was probably a flurry of work in anticipation that turned into stagnation in the weeks afterwards. The Information Commissioner’s Office haven’t marched a business owner out for public execution yet, and the rest us lost interest after we’d spent two weeks deleting almost everything that came into our inboxes.

Instead of a promised new dawn for data protection, most of us have crystallised at the point in our journey where the deadline passed or we lost interest. We can all sit and blame new legislation as much as we like (I’m sure there’s a joke about Brexit in there somewhere, but maybe it’s still too soon…) but it’s unlikely to provide much security when your new privacy policy says that you don’t send personal data overseas yet your website is hosted by Americans. OK, maybe that example is a bit specific, but it’s the specifics (or lack thereof) that can get you into a world of trouble under GDPR.

How closely will anybody really be looking?

Those that have spent time pouring over the various clauses in the GDPR will know that it’s not just the size of the fines that are scary, but the number of opportunities there are to be tripped up by the legislation. Getting hacked and losing a million credit card numbers; hundreds of patient records being left in an open cupboard; scraping email addresses from the web to spam – these are the obvious routes to getting fined that have existed for decades.

You don’t process payment data, don’t hold sensitive data and are lucky if your marketing emails get out more than once a month. Where could things possibly go wrong?

Alongside the many opportunities for a slap on the wrist, the most obvious answer to the question above is, “through your partners and suppliers”. The new regime surrounding ‘controllers’ and ‘processors’ means that when things go wrong, it’s not so easy to just point the finger and walk away.

Whenever personal data passes between you and someone else, there must be a contract in place, it must deal with certain issues and you’re both responsible for ensuring mutual compliance with it – including if you’re operating from their terms. I hear you thinking that this is all just adding to the paperwork and not solving anything. But as with all contracts, that can only ever be true up until something goes wrong and you need to rely on those documents to see how bad it’s going to be.

And it’s not just the contracts. Those contracts will refer to your policies. Those policies will have processes linked to them. If any of those documents are absent or in no way reflect what you’re doing, they’re useless. If you’ve ever been through litigation, or know anyone that has, you’ll know that all of your actions and inactions are revealed once someone is trawling through your paperwork. This can be hard to justify if it’s simply a case that you never found the time to get on top of it.

So how far from magnolia do we really need to go?

For most of us, all of this means that ongoing compliance is about effectively managing your supply chain as it is anything else. If you’re already doing this, then filling in the ‘GDPR shaped gaps’ in your policies will be less painful than you might think. If not, then this is an excellent opportunity to get on top of things and add some colour to your data protection policies and processes, make them your very own. Devant have three GDPR packages, bronze, silver and gold (definitely no magnolia!). There will be one to suit your needs so you can make sure that your business and its clients are suitable protected. Whilst there will be an initial cost (both in time and resources) the payoff will be the more efficient performance of your contracts, greatly reduced risk and, of course, less stress! Contact us if you’d like to discuss which package will be right for your business.

Fraser Gleave
Junior Commercial Contract