Sunday, 25th November 2018 marked 6 months since the GDPR came into force and, having helped a number of clients over this period, we wanted to bring you up-to-date with our findings.
For context, at Pragmatiks Consulting, we primarily work with Business Leaders to identify and resolve issues which are impacting business growth. Because of the amount of press in the run up to GDPR going ‘live’, data protection has been perceived as getting in the way of growth and, as a result, we have been engaged by a range of businesses to help them with their GDPR programmes.
Here’s what we have learnt: -
Whether your business is big or small, in the private or public sector, servicing business customers or consumers, the GDPR applies. We haven’t come across a single exception to this having worked with accountants, retailers, importers, manufacturers and financial services businesses.
Unless the primary function of your business revolves around data processing, hosting and/or related activities, the types of personal data collected, processed and stored are likely to be easily manageable and will fall into one of three categories; namely employee, customer and supplier data.
There is much confusion over what is and isn’t personal data, with confidential data frequently being classified as personal data. Furthermore, in conversations with the ICO, we have also learnt that what constitutes personal data is contextual. For example, a car registration number is not personal data to the average person in the street, because there is no way to link the registration number to a ‘natural person’. However, if you have means and intent, that is you are a parking enforcement officer for example, that car registration number would be considered personal data.
Putting processes in place to manage your GDPR obligations delivers unexpected efficiencies such as consolidation of suppliers, greater returns on marketing effort and lower data storage costs to mention but a few.
Of all the functions touched by GDPR, our experience has shown that marketing departments have the most to do and need to fully embrace and understand not just the GDPR, but also the Privacy and Electronic Communications Regulations (PECR).
Key policies which have been identified as sub-optimal are retention policies and privacy policies.
In spite of the horrific predictions, since 25th May 2018, monetary penalties issued by the ICO is just 16 (taken from ‘Action we’ve taken’ from ico.org.uk).
In summary, satisfying your GDPR obligations need not be difficult, costly or time-consuming and, if you’re still unsure about how to approach it, contact us by email to firstname.lastname@example.org, call us on +44 20 3290 9969 or book a FREE call at https://calendly.com/pragmatiks.