I might be about to make myself unpopular. Especially given the torrent of consent emails currently overflowing from all our inboxes.
But I think GDPR is pretty good.
Yes, it’s fiddly.
We all like a GDPR moan, myself included. If you follow me on social media you’ll definitely know that.
And yes, it’s a lot to get your head around, particularly if you collect or process sensitive data about people.
But to be honest, my data is important.
If you’re lucky enough to hold information about me, especially if it’s the sensitive stuff, I want you to look after it. In fact, GDPR doesn’t really add anything that I wouldn’t already expect you to be doing.
It’s all too easy to potter on collecting people’s information and not think twice about the implications of what you do with it, how you store it, and what would happen if someone else got hold of it. Perhaps my years working in Children’s Services, dealing with the most sensitive information on a daily basis, has made me particularly tuned in to these issues. Perhaps it’s something we should all be more on top of.
On top of that, GDPR is A Good Thing because it’s making it clearer what we should expect from organisations across Europe.
It means we won’t be left floundering amid all the countries’ different rules. And by virtue of the fact that Europe is pretty big, organisations worldwide are having to take note and up their game in line with this too. We shouldn’t complain about this.
There’s been so much chat about all this lately and I’m hearing two extremes.
There’s the total GDPR panic.
Small businesses thrown into a whirlwind of distress because they’re overwhelmed by what they need to do by 25th May.
I think a lot of this is self-perpetuating, and equally some of it is fuelled by a few GDPR professionals who are scare-mongering to get business. Don’t get me wrong – there are other professionals out there giving advice and doing a wonderful job – but you’ll always get the ones who see an opportunity to gain from it.
The truth is (at least in my opinion) that most of this is common sense. You need to know what information you hold, where it comes from, how you store it and what you do with it. Then you need to check none of those elements are unreasonably risky to a data breach. And you need to document all that. It doesn’t need to be overly complicated if you’re a small business. In fact, even if you’re a huge business, keeping it as simple as possible is always the way to go with these things.
Then there’s the opposite – the ‘nobody will care if your small business isn’t GDPR compliant’ attitude.
Yes, there’s an element of truth here. Attention will likely focus on the bigger organisations, especially at first, and those with high-risk data. And as long as you’re working towards compliance, taking steps in the right direction, that’s a great start.
But that’s not really the point, is it? GDPR is about making sure that people’s data (including your own) is treated responsibly and with respect. It’s not about complying for the sake of the legislation. It’s about complying because it’s the right thing to do. Because you wouldn’t want someone else to mishandle information about YOU. We all have our part to play.
So, don’t panic, but do be responsible.
Think about what data you have, map it out and take it from there. There are SO MANY resources online that you can search for yourself, so I’m not going to signpost any except for the Information Commissioner’s Office website, which gives the official guidance for the UK.
Anyway, I’m going to get down from my soapbox now. I’ll put it away neatly, but just so you’re warned it’ll be somewhere I can find it again quickly when I next need it…
If you’re really into privacy notices and stuff there’s one on my website. Why not head on over and take a look? You never know, you might find some other interesting stuff too.