14.10.2019, 17:38
Avoiding GDPR Fatigue
David Coleman, operations director at HSM UK, asks whether ‘GDPR fatigue’ is behind recent research finding that a third of businesses in the European Union are still non-compliant with the directive.
Over the last 18 months, it’s clear GDPR has contributed to a complete overhaul of the way organisations in the European Union handle their data. Many have made great strides – and for the right reasons. Others, however, have found felt a huge forward and for the right reasons. Yet for some, GDPR is felt as a weight on the shoulders of their organisation – but does it need to be?
For those accustomed to the word association game, the word pressure is usually synonymous with GDPR. It wasn’t too long ago that the phrase ‘GDPR’ sent shudders down the spine of anyone trying to desperately understand the new regulation, let alone prepare their business for it.
Fast forward almost a year and a half from the 25th May 2018, a lot has changed. Generally, individuals are now beginning to understand the regulation, with some questioning why data hasn’t always been handled this meticulously. For data handlers themselves, although this isn’t the case for everyone, steps have been taken in the right direction with many improving the way they handle confidential data and sensitive information.
Yet, there’s still a looming pressure to get GDPR right. For a year and a half now, fines and dented reputations have been hanging over the head of so many data handlers. Even those who have worked hard to improve their processes and meet the new standards haven’t always been able to keep up.
So this drives the question, are we in danger of GDPR fatigue?
UK under pressure
In July 2019, a study found that a third of EU businesses were still not compliant with the rules that were put in place a year prior. What’s more, a report conducted in September found that over half of UK businesses are still not fully compliant.
As we’ve seen in the news, organisations that aren’t compliant run the risk of heavy fines. The latter half of 2019 has certainly uncovered a string of data breach investigations as we now begin to see a number of organisations, big and small, succumb to the pressure of data protection. In one of this year’s larger cases, the Information Commissioner’s Office (ICO) has stated its intent to fine British Airways £183m under GDPR. This comes after a data breach concerning the personal data of approximately half a million customers.
British Airways representatives described the incident as surprising and disappointing with top analysts highlighting that this should act as a reminder that GDPR covers any business handling data. While that’s true, these news stories shouldn’t add to the ongoing pressure that data handlers are experiencing. Instead, this should be used as a motive to drive organisations to seek a simpler, yet effective approach towards data protection.
Keeping teams on track
Put simply, GDPR doesn’t need to be the oppressive regulation that it’s seen to be. For those that are feeling the pressure, or even worse, falling short with data protection, it’s important to take a step back and get the basics right.
For organisations, it’s key to remember that not all individuals will become a GDPR compliance specialist. With that in mind, it’s imperative that a business has the correct internal processes in place to support staff, and as experts have continually emphasised, raise education on the subject to at an appropriate level. If you take the shredding process as an example, teams within an organisation should understand the security level that they’re required to cut at. For example, Finance and HR departments should consider destroying their highly sensitive documents by cross-cut shredding to a level of P-5 or above, where as it is more appropriate to destroy documents within a general office environment at the lower P-4 security level. It’s this level of education and understanding that could be the difference between compliance and a GDPR breach.
Routine is also crucial. For those dealing with paper documents containing highly confidential or sensitive information, shredding procedures should be encouraged as part of a routine. Whilst it’s a step in the right direction to own an internal shredder system, it’s not enough if they’re not being used correctly. Staff should be encouraged to deal with confidential documents and shred them at the point of use as soon as they are no longer needed. Whole documents left waiting to be disposed are at risk, and only once shredded appropriately is information totally secure.
With this in mind, teams may benefit from employing what is known as a clean desk policy – helping to ensure that sensitive information is out of sight of visitors and third parties that are visiting an organisation’s office space for example. Furthermore, the use of internal shredders guarantees instant document security by reducing the risk of misplaced, lost or stolen printouts. Without routine, an individual can be subject to uncertainty and this can mount pressure and lead to GDPR burnout.
A data procedure is for life
Avoiding this fatigue is paramount for organisations right now. To implement an effective data security process, continual investment (both time and financial) is key. As we know, data protection has changed, and organisations must now support their staff to assure compliance.
Pressure is invited upon organisations that have, and still continue to, approach GDPR in the wrong way – it has never been enough to view it as an afterthought. Only when data security is taken seriously will organisations be able to alleviate the pressure associated with GDPR.
Sources
https://www.consultancy.uk/news/21951/30-of-european-businesses-still-not-gdpr-compliant
https://www.helpnetsecurity.com/2019/09/12/uk-businesses-gdpr-compliance/
https://www.theguardian.com/business/2019/jul/08/ba-fine-customer-data-breach-british-airways
Author
