1.What is GDPR’s biggest misconception?
During the initial years of the GDPR coming into force, there was a widespread view that it was all about cybersecurity. While cybersecurity is crucial for safeguarding personal data, it is just one aspect covered under Article 32 of the GDPR. When businesses were preparing for GDPR implementation they often delegated the work to their IT teams, whereas they might have been better talking to lawyers and in-house compliance. The GDPR, as any other regulation, puts an emphasis on accountability and its natural neighbour – record keeping. What would become the single biggest ever privacy regulation was drafted originally as a legal act designed to scrutinise an organisation’s policies. This meant that if there were to be investigations, regulators would examine a business through the lens of paperwork; if it was not able to keep paperwork in order, how could it ever ensure the integrity of personal data?
As we understand at Leo, meeting these record-keeping requirements may seem a daunting and costly exercise. This is why we have worked hard to streamline the GDPR requirements and make compliance accessible for any business. With our fully integrated online training, a set of dynamic registers for recording your privacy matters and a compliance monitoring programme that guides you through the regulation, you can build out your compliance framework without exposing yourself to high costs.
2.Why should SMEs care about the GDPR if regulators seem to be focussing on the big tech companies?
Many GDPR-related complaints against businesses have come from data subjects, both individuals but also privacy activist groups. For example, Austrian activist Max Schrems has developed an organisation called NOYB (styled as “None Of Your Business) -officially known as the European Centre for Digital Rights. So far Schrems as an individual and his organisation have made headlines as the ones taking on big tech companies, notably Meta. Silicon Valley giants are the obvious targets considering that personal data is their commercial bread and butter.
However, there are cases where GDPR complaints are about SMEs and notably data requests. There are also major risks in policy and monitoring failures in disclosing any hacking activity. All these breaches which concern all companies could lead to fines and at the least much business sweat and stress as compliance rushes to fix any wrongdoing. There is also the bother of cynically motivated complaints which can also cause much business interruption.
That is why Leo seeks to keep policies and monitoring in an easy to access software to ensure that requests can easily be dealt with and that responsibilities are clear for anyone to act notably when it comes to reporting any breach.
3.What are the most overlooked requirements of the GDPR?
Almost anyone who cares to comply with the GDPR has managed by now to procure the basics of the GDPR requirements in their company. This usually covers the privacy notices, privacy policies and the training. However, many businesses did not take much notice of the requirement of art.30 GDPR asking to maintain records of the personal data processing activities. It is an exercise designed to first document the context and ways of processing personal data and second to get organisations thinking about their businesses in the context of personal data exposure.
In effect the GDPR requires that with this information / documentation, compliance thinks further about the impact of the GDPR on their use of and control of personal data. This thinking should inform better privacy controls from the ability to respond to data subject requests and meeting the principle of data minimisation. Yet, many businesses are not focussing on these requirements which may hurt when it comes to assessing the amount of any fines.
With software like Leo you can review the GDPR lay out of your company, and through our configurable reports, create your own assessments and note your potential discussions towards improvements, proving your adherence to the GDPR. This form of report creation is unique to Leo and makes any work around such discussions easy to collate, repeatable (annual reviews are encouraged but not mandatory) and will be part of your diary in Leo as well as Outlook if that helps.
The other requirement that is often overlooked became a trap for foreign businesses and stems from the extraterritorial application of the regulation. As per art.27 if you are a business not established in the UK, nor in the EEA, but you offer goods and services in the UK or EEA, you ought to respectively have a GDPR representative in that jurisdiction. The latter acts as a liaison between the foreign business and data subjects or data authorities. In the era of email and instant messaging, it may seem slightly artificial to have such a liaison as sending an email to the organisation directly or to its representative makes no practical difference. Yet, the regulator wants to ensure that data subjects and the authorities do not need to chase businesses all over the world but have a ‘local’ point of contact. At Leo, we embedded this service which sits perfectly on top of our software users as a complete solution. We offer the services of the UK and the European Representatives, in both London and Paris. Do get in touch should you wish to discuss this further.
In the digital era of AI, and the huge reliance on software-based CRMs, or the commercial value of personal data and habits, the GDPR is necessary step. Its vagueness, whilst criticised by many today and making compliance trickier, may become a useful feature while navigating the unknown future that Artificial Intelligence is quickly bringing about. In the meantime, compliance should focus on any overlooked requirements and automate any processes of review beyond matters of cyber security, to demonstrate compliance and be responsive should a complaint or breach arise.
To learn more about our GDPR solutions click on the link below
GDPR Accountability: avoid fines, adherence is easier than you think – Part 2
Despite Art. 5 GDPR referring to data controllers, in practice, the principle of accountability applies equally to processors and controllers of data. Most...Read more
SM&CR: Accountability in an AI-enabled World
On the 9th of December 2023, it will be four years since the Senior Management and Certification Regime (SM&CR) became applicable to solo-regulated...Read more