What Does GDPR Mean for Senior Management?

Ben Hancock
Managing Director | Yellow Room Learning
7th March 2018

What Does GDPR Mean For Senior Management?

The General Data Protection Regulation (GDPR) is a set of regulations designed to protect the data of people living in the EU. These regulations will change how businesses can collect, process, store, and share the data of their customers. Businesses must comply with the GDPR or face heavy fines.

We ask 'What does GDPR mean for senior management?'

This guide will explain the key principles of the GDPR and how senior management should help their workplace prepare for the adoption of the GDPR. We explore the consequences of non-compliance and finally explain how Yellow Room Learning can help your business prepare for these significant changes by providing GDPR and cyber security awareness training for employees.

Why was the GDPR created? The Internet has completely transformed the way that businesses can collect, process, store, and share data. Businesses have many more opportunities to collect data from users and track their movements online. Once user data has been collected, it is very easy to store it, share it with third parties, or process it to obtain useful information.

Unfortunately, there have been many instances of businesses mishandling user data or obtaining it inappropriately. In some cases, confidential user information has been leaked online by businesses or lost as a result of cyber attacks. Many businesses have also been sharing user data with third parties without a user’s consent. This kind of behaviour has damaged the public’s trust in businesses. Many consumers no longer trust businesses to handle their data ethically and are demanding more rights.

The GDPR was created to help rebuild trust between individuals and businesses. It provides a standardised set of rules for how data should be gathered and handled. It also gives individuals more control over how their data is used. Users will be able to demand that their data is deleted by a business or obtain copies of all of the data that a business has on them. Businesses must also ask for a user’s permission before collecting certain types of data.

The GDPR works in conjunction with the UK’s Data Protection Act 1998 (DPA) and harmonises the UK’s data protection laws with other countries in the EU. Legislators expect that having the same set of data protection rules across the EU will save businesses billions of dollars. The GDPR comes into effect on the 25th of May 2018 and replaces EU directive 95/46/EC (EU Data Protection Directive). Although the UK is leaving the EU, it is expected that legislators will continue using the GDPR.

The key principles of the GDPR The GDPR is based on six key principles:

1. Purpose limitation. Data can only be collected for specific, explicit, and legitimate purposes. The user must be fully aware of the specific and legitimate reasons for data collection.

2. Data minimisation. The data collected from the user must be relevant and limited to the intended purpose.

3. Lawfulness, fairness and transparency. Businesses must be fully transparent with the user and tell them how data will be collected and processed. The data collection and processing techniques must match up with the tests described in the GDPR.

4. Accuracy. Businesses must ensure that data is accurate and kept up to date.

5. Storage limitations. Businesses should only keep a user’s data as long as absolutely necessary. User data that is no longer required must be deleted. 6. Integrity and confidentiality Businesses must have appropriate security measures in place to keep user’s data safe and confidential. They must also have measures in place to prevent unlawful processing, accidental loss, or damage of data.

The role of senior management Senior managers are ultimately responsible for ensuring a business complies with the GDPR. Some of the key areas they must address include:

• Creating a GDPR compliance programme.

• Creating workplace policies that ensure continued GDPR compliance.

• Ensure data security procedures are in place and data handling technologies are up to date.

• Take steps to ensure users are well aware of their rights and understand how/why their data is being used.

• Audit the ways the business collects and processes user data, ensuring they are GDPR compliant.

• Providing adequate staff training to ensure they comply with GDPR principles.

• Ensure any third-party data processors the business uses are compliant with the GDPR.

What are the consequences of non-compliance? Infringement of some of the GDPR laws can result in fines, big fines. For example, a €20mn or 4% of global annual turnover fine (whichever is greater) can be expected if the ‘Conditions of consent’ or the ‘Lawfulness of processing’ Articles, for example, are not observed. These two examples are not exhaustive by any means. Smaller fines of €10mn or 2% of global annual turnover can be issued if the following Articles are infringed; ‘Records of processing activities’ or ‘Security of processing’. Again, there are many more to consider.

Are you personally liable as a senior executive? The GDPR does not hold directors and officers personally liable at the moment, however, the Data Protection Bill, which was introduced to the house of Lords in September 2017 to supplement GDPR, makes clear that if an offence is knowingly committed, or committed through negligence, that director, as well as the company, will be liable to prosecution.

How Yellow Room Learning can help your business? Yellow Room Learning can help your business comply with the GDPR by providing the following services: • GDPR training for employees We can provide general GDPR training to your staff to improve their awareness of the GDPR and to highlight the key points. • Tailored training We can custom build a training module that incorporates your businesses policies and also include role specific information so that employees know how they are affected. • Cyber security training We can teach your employees how to protect your businesses information and data and therefore reduce the risk of a data breach ever occurring. • Compliance By carrying out some or all the above you can demonstrate that your business has taken suitable measures to protect your customer’s data.  

Thanks for readingWhat Does GDPR Mean For Senior Management?

To learn more about information security or GDPR training, contact Yellow Room Learning today on 0800 292 2900. Do you want to keep up to date with the latest cyber security awareness news and articles? Follow us on LinkedIn.

Do you want to join the conversation?

Sign up here