It’s easier to avoid discussions on the weather or Boris Johnson than GDPR these days, but what is it about and should we care?

It’s easier to avoid discussions on the weather or Boris Johnson than GDPR these days, but what is it about and should we care?

The purpose of GDPR seems to be to set a secure environment giving individuals comfort that their data is being held for reasonable purpose by entities with a right to hold it, not retained once not needed and kept (and transmitted) safely. 

If you’re reading and can understand this you are an individual. Artificial Intelligence will change that, but there are no current plans to extend GDPR protection to your Tesla or food processor. Fans of Star Trek Next Generation will understand that this may change one day when data on Data will be private data. 

Mirroring a famous alcohol recovery programme, the Information Commissioner’s Office have published a 12 step guide which should be everyone’s starting point - my name is Mark Zuckerberg I am a code junkie and have not haemorrhaged data for three days now – hello Mark.

This has been extended by the software houses to cover the sale of every single product, portal and system appraisal possible at the highest price with a sense of “otherwise you die” urgency.

It comes into effect on 25th May – but the world is not expected to change overnight to a comfy secure internet paradise, the expectation is that businesses will start to put implementation plans together – not be perfect data handlers from 26th May.

Let’s increase the thinking and reduce the spending for a moment – take a (stiff drink and a) look at some of the 12 steps:-

Step 1, Awareness. Don’t just look at the baffling sales pitches of your computer people, read your trade press and web groups to see what the general level of panic is and who is doing what in similar businesses. 

Step 2, Data held. Your accountant or anyone who knows your system can detail the relevant records you hold. The advantage of using your bean counter is that this can be reviewed annually when the accounts are prepared – and this will be looked at in conjunction with jolly old step 7, do you have appropriate consent to hold the information? 

Step 3, Communication – this is going to be the destroyer of worlds – effectively, is your email system robust enough to guarantee the safety of data? We accountants will be learning a lot about data encryption and secure portals this year. 

The business will need to identify the responsible officer (step 11) and as sure as little green apples there are third parties vying for this work. To our mind this should never be an outsider for an SME – a job far better done in house

Nobody is going to jail for getting this wrong in the immediate future – though that will come. Data breach cases will be judged in light of the attitude of the data holders towards the principles of GDPR – and as the top end of the fines scale is eye watering you should expect many statements of policy from those holding your personal data. 

Here at Scodie Deyong we have formalised our data storage, retention and destruction policy – it was always reasonably robust as it is mostly set in law, but if anyone can tell me where our email policy will end up – You're a better man than I am, Gunga Din.