Welcome to my definitive guide to GDPR.
Who am I to write this guide? In short, I am no one!
I am not a lawyer, I am not a professional in European Law, I am simply ‘The Bad Manager’ (for more on that, see my other blog posts). Why am I writing this guide? My aim is to help other people like me, managers, who are facing the daunting topic of GDPR with the ever-looming deadline hanging over their heads.
I am hoping that by writing this guide, I may be able to help some of you understand some of the aspects of GDPR easier. I have been wading through it for months now, I’ve listened to podcasts, watched talks on YouTube and attended seminars. Maybe I can impart some of this advice to you guys to help prevent you from going through this same torturous process, to help you avoid spending hundreds of pounds unnecessarily.
You would be amazed how many emails I’ve gotten recently offering to solve all of my GDPR worries, if only I spend a whopping £600 (plus vat) going on this training course to teach me how or taking this webinar to make me GDPR ready.
Well, why pay? I can give you some of the titbits for free.
The thing is, most of this information is readily available if you know where to look. The internet is a wild and wonderful place full of all sorts of resources, both free and paid for. Two of the best resources I’ve found are:
These are the people who will actually be enforcing GDPR.The ICO is the UK’s independent body set up to uphold information rights.
IT Governance is a leading global provider of IT governance, risk management and compliance solutions, with a special focus on cyber resilience, data protection, PCI DSS, ISO 27001 and cybersecurity. Basically, they are a company that can do it all for you or can train you how to do it yourself. I have no personal or professional links to this company beyond the fact that they have some pretty useful free resources available on their website, and for that I Thank them.
Ways of implementing GDPR
As the Business Admin manager for my company, it is my job to take care of things like GDPR. As I have stated, I am not a lawyer or even a student of law, let alone European law. So if you do not think that my advice is sound, then feel free to ignore it and go your own way. I cannot be held accountable for any ‘bad’ advice I give here, this is all my opinion and my way of doing things.
That being said, here are a few things you can do to safeguard you and your company:
Hire a company to do your GDPR for you.
Like all areas of business, there are companies out there who have sprung up overnight with the sole intention of taking away the headache of GDPR and being paid a pretty penny to do so. But if you are worried about fines, don’t have the time or expertise to devote to GDPR or have a boss/investor with deep deep pockets, then, by all means, use one of these companies. Their job is to handle all of the GDPR legalities, the paperwork, the policies, the rules and regulations. The work these companies do, can range from writing your policies and letting you get on with it all the way through to actually providing you with a remote Data Protection Office (DPO – please see section on DPO for more details) to review your data, write your policy and regularly check up on how you are conforming to the policies and procedures they have put in place.
Hire a consultant.
One step below hiring a company to do it for you. The right consultant can work wonders (see my ISO blog post) for your company. If you find a consultant who can work with you rather than for you, then you can end up with a harmonious relationship and a policy which suits you and your company needs. But please do be careful, any Tom, Dick or Harry with a few years experience in a field can call themselves a consultant and offer services without the need for relevant certification or documentation. I would, therefore, always go on a personal recommendation from someone you know and trust to find a consultant, not just pick one with the right price tag from the internet.
Do the work yourself but get it looked over by a lawyer who specialises in GDPR.
I have to admit, this is most likely what I am going to do. There is a fee for this type of work but it is usually an hourly fee and much more manageable than paying a company or consultant. It also means that the policy will be tailored to your needs and requirements and not contain a load of meaningless puff which is not relevant or helpful. It also means that you only have to offer up the pieces of work which you are unsure of. My way of thinking is that I will use this service, to get my work checked for any glaring omissions or terms which could be seen as vague or easily misinterpreted.
For anyone who has read my other posts, you will see that my language is often full of colloquialisms and examples. This is not something which an ICO official will want to read. Your language should be concise and to the point with no room for interpretation. A qualified legal professional will take your work and ensure that it will stand up to scrutiny.
Do it yourself and keep your fingers crossed.
This may sound like me being cynical, believe me, it is not! If I ran a small company, then I’d probably take a read of this, work up a few policies and procedures and leave it at that. I’d have no real need to delve into the nitty-gritty of what GDPR means and how I can safeguard my company and my customers. For a lot of companies, having an awareness of GDPR and being vigilant in how data is collected, used, stored and disposed of is going to be enough.
As it is, I am the Business Administration Manager for a company who has in excess of a £3 million turn over per year and is rapidly expanding, and as such, we cannot afford to be lax in such areas as GDPR. If we were to be reported to ICO for a breach then we could find ourselves in serious trouble. It is, therefore, my job to ensure that all policies and procedures put in place by me and my team are robust enough to protect the data and ensure that we do not leave ourselves open to any misuse or loss of personal data of our customers, prospects or staff.
For those of you who are interested in reading more of what I say about GDPR, please see my next post.