GDPR: What You Should be Doing

Fed up of reading about GDPR? Already skimming articles about it in your feed? We’re not surprised, and we don’t blame you. Stick with us and read this one though - we’ll make it succinct.

You should be concerned about GDPR. It’s hard to conceive that any organisation should not consider the impacts of GDPR as it applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

Many companies will have you believe that the headline is that non-compliance with GDPR could lead to a fine of up to €20 million, or 4% of your worldwide annual revenue. While this is true the real issue is that society has become less tolerant and more aware of unethical use of their data. The motivation to ‘do the right thing’ is greater than ever and growing. Instances of users making decisions based on an organisation’s approach to personal data will only increase

The good news is that GDPR is not entirely new, as the ICO put it, GDPR is an “evolution in data protection, not a revolution”. Nothing in the principles of GDPR should be unfamiliar:

  • Data should be processed lawfully, fairly and in a transparent manner.
  • Data should be collected for specified explicit and legitimate purposes which may include archival, research and statistical purposes.
  • Data collected should be adequate, relevant and limited to those purposes.
  • Data held should be accurate.
  • The form of Data held should only permit identification of the individual for as long as is necessary.
  • Data should be held securely.

There really is nothing new under the sun. The principles of GDPR follow those of sound data protection. We look upon GDPR as an opportunity to ensure and prove that you are behaving ethically. It’s all too easy to see data as an asset and many organisations have taken every opportunity to gather data wherever possible without a clear and present mandate for its’ use. We’ve all been frustrated by documents on the web that will only be released to us if we fill in a form or a form that seems to gather much more information than is required. We’ve all been asked “can I have your postcode please” in a store when buying or returning goods.

So, to the detail. The UK Information Commissioners Office is a great resource even for non-UK based organisations. The UK Government has issued a Statement of Intent for a Data Protection Bill to update and strengthen data protection laws. The Bill will bring GDPR into UK law.

We have produced a GDPR Checklist with the aim of giving everybody easy access to a full list of the actions and considerations that are required. The subject of Subject Access Requests will be dealt with in a future post.

It seems to us at Zen that the nature of GDPR has led to any company who produces business management software are offering advice which is making the market very cluttered. Zen Logic comes at the challenge from the direction of Privacy by Design which is one of our founding principles. We see GDPR not as a sales opportunity but a chance to further our goal of making Privacy an integral part of every system built.