We all do marketing to make us stand out from the competition and show the compelling reasons to have the product or service we provide. But sometimes a marketing message doesn’t give the complete picture. For the General Data Protection Regulation (GDPR), this could lead companies to believe they comply but actually have several outstanding issues to address. Which could result in a very large fine.
First, some background. The GDPR replaces the Data Protection Act (DPA) in May 2018. Brexit doesn’t make a difference. The UK will still be in the EU when GDPR come into force. The consensus is that after the UK leaves the EU something very similar to GDPR will be required if we want to trade with the EU and other countries. And if you hold the details of any EU citizens, you will need to comply with all the GDPR requirements after Brexit. If you have a data breach, or cannot show you have taken steps to comply with the requirements when audited, fines are much higher than they used to be; up to €20m or 4% of global turnover.
This is an ideal opportunity for vendors to raise the profile of security products and show how they help with GDPR compliance. In many cases I see this being done. However, in the past few weeks, I have sat in on webinars and read white papers where a product is being promoted as the answer to GDPR compliance and it doesn’t mention requirements such as making sure there is a record of consent to contact an individual and the right to be forgotten. The products are very good at what they do, but if purchasing decisions are made on the basis that this is all that is required, companies are going to be in for a shock when someone points out areas that have not been looked at.
If you are looking to purchase product(s) that helps with GDPR compliance make sure the vendors highlight which parts it addresses. As GDPR applies to all personal information, and some of it will be on paper for most companies, a product is unlikely to cover everything.
The starting point could be asking which of the Principles (in Article 5) are covered. There is Accountability -the controller shall be responsible for, and be able to demonstrate compliance – and that Data shall be:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and, where necessary kept up to date
- Retained only for as long as necessary
- Processed in an appropriate manner to maintain security
Please get in touch for advice on GDPR compliance. We don’t sell products.