The Importance of a company-wide culture shift in GDPR compliance
It is important that companies are acutely familiar with GDPR at every level, particularly so at the executive level. There will need to be a change in company procedure and protocol that must be enforced across the entire business. The responsibilities that GDPR places on SME’s are particularly onerous and will require your business to restructure some of its core processes. It is essential that the importance of compliance is reinforced that this is consistent throughout the entire business. As mentioned in many of these articles, the obligations imposed on businesses through GDPR are non-delegable and cannot be discharged through the non-conformance or negligence of an employee. This is why businesses should take a top-down approach to GDPR compliance, making it as difficult as possible for employees to disregard the GDPR protocols.
It is unsettling, that when speaking to SME’s across the country that there is exists an air of GDPR ignorance below the ivory C-suite executives (and in many cases by the executive themselves) about GDPR. In reality, in order to be properly implemented, GDPR compliance needs to exist across every of a business. The drafters of GDPR, the ECJ and COM, envisioned a fundamental shift in the culture of Data Handling. It is designed so it cannot be relegated to a convenient afterthought but rather it is to become the foundation from which changes are built upon
Perhaps the most compelling reason businesses should look to a company-wide culture of GDPR compliance in Article 34. A barbed regulation that seeks to impose punitive damage through the enforced announcement of non-compliance. Government sanctioned naming-and-shaming.
GDPR ‘Art. 34 Communication of a personal data breach to the data subject’ places an obligation on companies to inform their customers within 72 hours after discovering a Data Breach. This has the potential to be fatal for SME’s who are vying for the trust of their customers. A report by CNBC found that over 40% of all Data Leaks were caused by the negligence of employees. This is particularly relevant as under the obligations imposed by GDPR are non-delegable. This means that the company is held accountable for the actions of its employees to the same degree as if it had committed the original violation. A comprehensive and thorough data security policy is essential in reducing the chances of a Data Breach and the consequences that would come as a result of that.
It is by design that the consequences for non-compliance have become quite so burdensome. As one can understand, it is untenable for legislation crafted expressly to govern the entirety of businesses throughout the EU trading block to be solely enforceable upon the discovery of an infringement. Rather, GDPR has been intentionally designed as a non-delegable regulation specifically for the purpose of ensuring that businesses are thereby forced to self-govern. Here, ignorance to the legislation at any level does not mitigate the consequence of non-conformity. This requirement that businesses announce their non-compliance in the event of a Data breach is bolstered with the threat of immense fines. Breach of Article 34 (& Articles 8, 11, 25-39, 42, 43) result in a maximum penalty of £10,000,000. This, rather shockingly, exists as the lower tier of potential punitive damages to be imposed in the event of a breach. In fact, failure to comply with Articles 5, 6, 7, and 9 can result in an eye-watering £20,000,000 fine and an embargo on future trade licensing within the EU,
Businesses in a spectrum of industries will have to change they interact with Data, but the requirements of GDPR run deeper than that. Businesses will have to begin to formulate a comprehensive plan of action. Delegating responsibility to assigned individuals and even creating a post called “Data Officer” to properly handle these new burdens.
The reason I Article 34, as opposed to any other of the 99 articles. Was because it demonstrates clearly the importance of having a thorough appreciation for this regulation across an entire company. It is quite easy to paint a rather startling hypothetical here.
> Employee A, unaware of the potential risks of insecure internet usage, unwittingly downloads a program found in an Email at work
> This program turns out to be a Virus which subsequently infects your system
> Customer Data is therefore compromised
> Article 34 then dictates that you announce this breach within 72 hours
> The announcement leads to massive distrust in your brand and the loss of sight.
Whilst this exists as perhaps the most simple demonstrations of the importance of company-wide GDPR adherence. It is also an incredibly potent tool to serve to employees who perhaps do not appreciate the importance of a strict Data protection policy.
In the world of Software GDPR has taken primacy as consideration for web and app development teams. In this sector, thought must be given at every stage of the development process in incorporate adherance to GDPR both at the end of the developer but also on side of the end-user. Here, software must be built with a suite of tools that enable users to moderate and control the Data of potential customers. Software does act as a good demonstration of how GDPR should be embraced at all levels. For example, at HARE.digital, when developing GDPR optimised software and web applications, our developers must, and do, have a thorough grasp on GDPR, most notably Articles 5, 8 and 9. These Articles dictate the requirement of Data Processors to remove, alter or explain Data held on a client on request. Again, in order to effectively implemented within the web or software application, this cannot be an afterthought and must instead be considered throughout the development process.
In my next Article, I will be discussing the impact of GDPR on SAAS and PAAS service providers.