Under Data Pressure: Avoiding GDPR Fatigue

Over the last 18 months, it’s clear that the European Union’s (EU) General Data Protection Regulation (GDPR) has contributed towards the complete overhaul of the way in which we handle our data. So many organisations have made strides forward and for the right reasons. Yet, for some at least, the GDPR is felt as a weight on the shoulders of the organisation, but does it need to be? Mark Harper thinks not.

For those playing the word association game, the word ‘pressure’ is usually synonymous with the acronym ‘GDPR’. It wasn’t too long ago that the phrase ‘GDPR’ sent shudders down the spine of anyone trying to desperately understand the new EU Regulation, let alone prepare their business for it.

Fast forward almost a year and a half from 25 May 2018 and a great deal has changed. Generally, individuals are now beginning to understand the GDPR, with some questioning why data hasn’t always been handled this meticulously. For data handlers themselves, although this isn’t the case for everyone, steps have been taken in the right direction, with many improving the way in which they handle confidential data and sensitive information.

However, there’s still a looming pressure to make sure the GDPR is right. For a year and a half now, fines and dented reputations have been hanging over the head of so many data handlers. Even those who’ve worked hard to improve their processes and meet the new standards haven’t always been able to keep up. 

That begs the question: ‘Are we in danger of GDPR fatigue?’ 

UK under pressure

Back in July 2019, a study found that one third of EU businesses were still not compliant with the rules that were put in place a year prior. What’s more, a report conducted in September found that over half of UK businesses are still not fully compliant either.

As we’ve seen in the news, organisations that are not compliant run the risk of heavy fines. The latter half of this year has certainly uncovered a string of data breach investigations as we now begin to see a number of organisations, big and small, succumb to the pressure of data protection.

In one of this year’s larger cases, the Information Commissioner’s Office has stated its intent to fine British Airways £183 million under this GDPR. This comes after a data breach involving the personal data of approximately half a million customers.

British Airways representatives described the incident as surprising and disappointing, with top analysts highlighting that this episode should act as a reminder that the GDPR covers any business handling data.

While that’s true, these news stories shouldn’t add to the ongoing pressure that data handlers are experiencing. Instead, they should be used as a positive motive to drive organisations to seek a simpler, yet more effective approach towards data protection. 

Keeping teams on track 

Put simply, the GDPR doesn’t need to be the oppressive regulation that it’s seen to be. For those that are feeling the pressure or, even worse, falling short with data protection, it’s important to take a step back and make certain that the basics are right.

For organisations, it’s key to remember that not all individuals will become a GDPR compliance specialist. With that in mind, it’s imperative that a business has the correct internal processes in place to support staff and, as experts have continually emphasised, raise education on the subject to at an appropriate level.

If you take the shredding process as an example, teams within an organisation should understand the security level at which they’re required to cut. For example, Finance and HR Departments should consider destroying their highly sensitive documents by cross-cut shredding to a level of P-5 or above, whereas it’s more appropriate to destroy documents within a general office environment at the lower P-4 security level. It’s this level of education and understanding that could be the difference between compliance and a GDPR breach.

Mark Harper

Mark Harper

Routine is also crucial. For those dealing with paper documents containing highly confidential or sensitive information, shredding procedures should be encouraged as part of a routine. While it’s a step in the right direction to own an internal shredder system, it’s not enough if they’re not being used correctly. Staff should be encouraged to deal with confidential documents and shred them at the point of use as soon as they’re no longer needed. Whole documents left waiting to be disposed are at risk. Only once shredded appropriately is information totally secure.

With this in mind, teams may benefit from employing what’s known as a clean desk policy – helping to ensure that sensitive information is out of sight of visitors and third parties that are visiting an organisation’s office space for example. Furthermore, the use of internal shredders guarantees instant document security by reducing the risk of misplaced, lost or stolen printouts. Without routine, an individual can be subject to uncertainty and this can cause mounting pressure and lead to GDPR ‘burnout’.

A data procedure is for life

Avoiding this fatigue is paramount for organisations right now. To implement an effective data security process, continual investment (both time and financial in nature) is key. As we know, data protection has changed and organisations must now fully support their members of staff to ensure ongoing compliance.

Pressure is invited upon organisations that still continue to approach the GDPR in the wrong way. In truth, it has never been enough to view it as an afterthought. Put simply, it’s only when data security is taken seriously will organisations be able to alleviate the pressure associated with the GDPR.

Mark Harper is Head of Sales at HSM 

Sources 

https://www.consultancy.uk/news/21951/30-of-european-businesses-still-not-gdpr-compliant

https://www.helpnetsecurity.com/2019/09/12/uk-businesses-gdpr-compliance/

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/ico-announces-intention-to-fine-british-airways/

https://www.theguardian.com/business/2019/jul/08/ba-fine-customer-data-breach-british-airways

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts