Morson hosts GDPR masterclass
Dozens of businesses from across the North West attended a GDPR masterclass from the Morson Group, designed to give organisations the tools and insights on how to prepare and comply ahead of the general data protection regulation changes in May 2018.
The free event, held at the Morson Group’s head office in Salford, focused on the impact of GDPR in recruitment and procurement, of which the company is already fully compliant.
A panel of expert speakers included Paul Stedman, contracts and employment specialist at BBS Law, and Terry Pudwell, chief executive and joint founder of Assuria Ltd; each giving the audience a knowledgeable overview of GDPR from a legal and technical perspective, guiding them through how data must be correctly stored, processed, shared and protected from May 2018.
Stedman stressed the importance of only collecting and storing staff and client information that is pertinent to your business; something which will differ between organisations depending upon their sector and service. Whilst businesses could face fines of up to €20m or 4% of group global turnover, he explained how it’s unlikely that a penalty of this scale will be commonplace for most organisations.
He also discussed the lawful processing of data and how every business must have the ability to demonstrate that consent has been provided from the individual in order to hold and process their data.
From a legal perspective, Stedman’s top GDPR tips were:
- Ensure support and buy in from the board, with an accountable director.
- Develop standards and frameworks business-wide for processing data.
- Appoint a project team for the development, implementation and delivery.
- Identify high risk databases and data flows, and erase any data that isn’t required.
- Map your data to find out what you hold, where it is from, why you possess it and what your intentions are with it.
- Mirror this data against the legal requirements to identify if and why you must hold this type of personal data.
- Review and amend contracts with employees, contractors, customers and clients.
- Review and update your policies including privacy, data protection, data retention, disciplinary, IT and communications.
- Develop and implement a data breach response plan.
- Create a robust data register.
- Appoint a data protection officer (DPO).
- Undertake data protection impact assessments (DPIA), where necessary.
- Implement and regularly review processes and systems to ensure compliance.
- Train your staff, communicate the changes and update regularly across your business.
Pudwell discussed the impact of the GDPR principles from an online security perspective, explaining to the audience how cybercrime now exceeds all other types of crime.
“Organisations are no longer able to ignore the problem and hide a data breach,” explained Pudwell. “As from May 2018, every business must report a breach to the ICO within 72 hours of becoming aware of it.
“Good cyber security practice is already being used by global banks, who are heavily regulated, and it is here where we must look for examples and ideas on how to protect our organisations online.”
Businesses should be able to demonstrate a good awareness of security and data privacy, and they have to be something that’s engrained in their culture, Pudwell added, and his top tips for compliance and creating this GDPR data culture, were:
- Know exactly what data you have, where it’s stored, how it’s processed and by who.
- Employ strong controls around your data.
- Run regular staff training and awareness campaigns.
- Only give users access to the data they need to work with and no more.
- Develop rigid data retention policies and delete data when the policy says so.
- Implement robust security safeguards through new technology e.g. protective monitoring.
“Lawfully storing data is just one small part of GDPR and not enough businesses, especially SMEs, can effectively protect the data they hold from a breach,” explains Mark Howarth, director at Morson Cyber Security. “Yet a breach doesn’t always have to be external from a hacker, with many organisations suffering problems from the actions of an employee.
Tony Beddows, director at Morson Cyber Security, concluded, “We were overwhelmed by the demand for this event by having to increase the capacity a number of times to accommodate additional requests.
“GDPR is a real and present issue that needs to be on the agenda of every business and a priority for every department, not just IT, HR or marketing.
“So many different businesses were in the audience but what really struck me is that many of those in the room, both big and small, were yet to comply. People have been banging the ‘GDPR drum’ for a while now and I think that businesses are finally starting to sit up, take notice and action change.
“Yet there’s only a few months to go before the new regulations become a reality and we know from experience that compliance takes time. The nature of our own business means that we hold and process thousands of data records, and complying well in advance was a priority to make sure the new systems and changes could be tested, tweaked and perfected.
“This event was designed to show businesses that you can comply ahead of May 2018 if you prioritise the changes and drive it throughout the culture of your organisation. Only a few other GDPR events have focused specifically on HR and procurement, and that really showed with the demand for places.”