By Brian Cowan
Trust GDPR. Trust anything that comes out of the EU? I can hear the Eurosceptics out there cringing at the thought. The implementation of GDPR for May 25th 2018 has crept up on many. Now, having read the scare stories about large fines and other recriminations, panic is setting in. Lost in all of this is the true value of the regulation and its impact on us all.
Who do we trust?
In a recent survey commissioned by the ICO it was revealed that 80% of those adults surveyed do not trust organisations with our information. The question asked was:
How much trust and confidence do you have in companies and organisations storing and using your personal information? Please answer on a scale of 1 to 5, whereby 1 means none at all and 5 means a great deal
Some of the interesting figures from the 2153 adults surveyed showed:
Only 4% had “A great deal of trust”, whilst 14% had no trust at all
Of those working in the Public Sector 3% indicated a high level of trust whilst 15% had no trust
Of those working in the Private Sector 5% indicated a high level of trust whilst 12% had no trust
When asked the same question with regard to the types of organisation storing their data, top of the list of trusted organisations was the NHS Hospitals and GP’s with a healthy 24% high trust level and only 5% on the No Trust level. At the other end of the scale were Social messaging platforms that managed only 3% on the high trust scale, and 33% on the no trust at all. Interestingly, the Police scored 19% on the high trust, and 8% on the no trust at all.
Looking at commercial organisations, Mobile, Broadband and Utility providers fared low on the high trust scale with 4%, and had the 2nd highest percentage of respondents saying that they had no trust at all (16%). Online retailers such as Amazon and High Street stores did not fare much better with a high trust score of 5%, and no trust at all score of 13%.
The bandwidth of respondents giving a 2 or 3 was very high (typically 60-70%) indicating a level of suspicion rather than outright mistrust. The Bands 5 plus 4 (upper trust levels) came in at around 20% in total. hence the 80% mistrust figure.
Where does GDPR fit in?
The new regulation makes organisations responsible for managing and protecting personal information. At any point in time, an individual can request a report detailing all of the personal information that an organisation holds on them. It also provides the “right to be forgotten”, the ability to request removal of personal information provided that there is no justification for holding it ( e.g. legal records, financial records). Trust will no longer be implied, it will be earned by maintaining compliance.
I for one, will be glad to see an end to the careless distribution of personal information. I find it insane that the information that we provide as important and mandatory to one organisation, can be sold on to anyone else to be used and abused. OK rant over (for now).
Food for thought
The survey indicated that 80% of the public showed a mistrust of these organisations. These are employees and customers who suspect that the information that they provide is not being protected sufficiently. In a post-GDPR environment that is a high number of people who could be persuaded to demand reports from these companies.
Some of these people may also have buying influences within their workplace.
Steps to gaining trust
Back in 2014 the Government backed, Cyber Essentials program became a mandatory qualification when bidding for Government contracts, where the storage of sensitive personal information was involved. This is a great first step for any organisation wanting to show a commitment to information security – and you get a certificate. Many of the steps required to prepare for EU GDPR are procedural best practices but Cyber Essentials gives you a logo for your website, certificate for the boardroom wall and a differentiator in competitive bids.
Cyber Essentials has a further advantage. It can include training for all computer users, helping to protect the company data from accidental and malicious intrusion. Feedback from our Consultants following Cyber Training sessions frequently includes users who can relate what they have learned to their home life also. Seeing this value in some of the training encourages them do adopt the other principles more readily.
This does not deliver GDPR readiness, but does show that steps have been taken to protect information. Other areas for consideration include:
IT Policy: The definition of policies specific to information security that can be used to demonstrate that procedures are in place that staff are signed up to.
Information awareness: The use of software tools to identify types of information stored, where it is held and what protection is in place for it.
Data management: Procedures that define the purpose of data collected, how long it should be stored and the elements of it that can be deleted if a “right to be forgotten” request is received.
Marketing policy: A document that sets out how the organisation should contact individuals. In a B2B environment this defines email and telephone marketing rules and ties into the Data Management procedure also. For the B2C model, keeping contact information relevant with permission to contact is essential.
Trust GDPR – why not
From May 2018 we will all trust GDPR to ensure that organisations treat personal information with respect. There will be teething problems but ultimately it represents a step towards better individual privacy. If my mobile phone log was to be believed, I am lucky to be alive after being injured in so many accidents, and I cannot remember any of them!
Based on the survey above, something needs to happen to restore public faith in organisations of all types. GDPR appears to represent the first step along this journey.
Finding GDPR information
The Information Commissioners Office below is the best source of reference information on GDPR. The blogs from the ICO provide updates and insight into the regulation and its impact. As the regulating authority, their information has to be considered invaluable.
Keytech and our partners run regular GDPR briefings around the North West. Typically these address the legal, human resources, information management and cyber protection aspects of GDPR. They also include open forum discussions to allow delegates to raise questions and share experiences.
The events also provide access to the help available to address any GDPR requirements or concerns.
The next public event is being scheduled for January 18th in the North West of England. It will run for a morning only, allowing time for delegates to meet the speakers and ask questions. For further information please email: firstname.lastname@example.org.
Information Commissioners Office (ICO)
The ICO are the UK’s organisation responsible for GDPR implementation and enforcement. They stress that enforcement, whilst essential, will not be a revenue raising exercise and are keen to reduce the level of fear that the scare stories have engendered. Their website has a lot of very useful information on data security and GDPR.
With Xmas getting close, there is a very good article by the Deputy Commissioner, Steve Wood providing useful advice to parents buying “Smart” toys for their children here. The principles outlined in the article can equally be applied to any smart-tech purchases.