One of our lovely Fire & Security clients asked me recently whether I could just “sort out his GDPR thing for him”.
Sadly, it’s not as simple as asking your regular trusted advisor – even though everyone has an opinion on the subject. At the end of the day, it’s your name that is fully in the frame and personally liable if you, your company or your employees are found to be non-compliant.
And with two tiers of eye-watering fines that are more than enough to break even the biggest business
- Up to €10 million, or 2% annual global turnover – whichever is higher.
- Up to €20 million, or 4% annual global turnover – whichever is higher.
It’s definitely worth consulting a GDPR expert in your area.
In Southend, that’s Ray Snow of Thrive2Distinction.co.uk. So we asked him what the crack is for Fire & Security companies.
When is the big day?
Friday 25 May 2018 is when it all kicks in and you and your business need to be ready.
Do I need a Data Protection Officer?
Some companies will need a dedicated DPO – there are rules regarding size and other criteria – but it will need to be a senior member of staff who has no fear of challenging the existing management over the way they want to do things in the future.
Dealing with Data
You need to know and be able to prove:
- what data you are holding,
- why you are holding it,
- how and where you are holding it,
- is it correct,
- who gets to see it,
- have you got permission to hold it,
- have you got permission to hold it for the reason that you are holding it,
- can you produce it and in what format if a subject wants to see it
- can you delete it easily if a subject asks you to
And then you need to have a documented process of all of the above that you can show to the ICO if they want to see it.
Think about your automated systems for managing jobs and storing client data – where is the data actually stored? Is it in the UK or EU… or somewhere else?
Consider any email or other data lists that you may have purchased or just accumulated over the years – those spreadsheets that are just sitting on your computer or server and have been for some years. Did you get permission to market to those people? Did you get permission to hold their data?
And it’s not just you and your employees, it’s anyone you outsource data to – like Payroll – you need to make sure that they are compliant too!
Processes and documentation
Any documents that talk about privacy or data protection will need to be addressed – both online and Word documents.
Your employee contracts will need to be reviewed to cover the GDPR potential for each individual. Not just the storage of their data but what access they have to data belonging to other employees, prospects or customers.
You will also need to address the way that you gather data – contact forms on your website or real world documentation for the jobs you are managing. Are these set up so people opt in to being contacted by you?
Again, the storage of this data also needs to be looked at – is it in the UK or EU… or somewhere else?
If the ICO come knocking, do you have documentation to show the processes that you have in place to comply with GDPR?
We’re a group of companies – do we need documentation for each individual company within our group?
This is one question that is particularly relevant to the Fire & Security industry where a lot of growth is done by acquisition. Sometimes these are merged into one group providing all the services but the individual acquired company websites still exist. It will depend on whether each company collects, handles and stores data in exactly the same way. You would need to check with a GDPR expert about your organisational structure – will one set of documented processes be sufficient or do you need something for each of your companies?
Currently the most famous cases where GDPR fines were incurred revolve around online breaches or real world incidents where laptops and data sticks have been mislaid.
If your surveyors and installers carry personal data for customers on laptops, tablets or mobile phones, you should consider penetration testing, cyber essentials and disk encryption.
Reporting a breach within 72 hours
You and your staff need to understand the internal reporting processes required to be able to recognise a breach, restrict any potential damage, alert anyone affected and make a report to the ICO within 72 hours.
GDPR specifically for Security Installers
Of course, all that doesn’t deal with the elephant in the room – what are your liabilities with regard to GDPR and the systems that you design and install?
There’s a more technical article here from IFSEC but GDPR will be a much more rigorous regulation regime for CCTV signage and video surveillance. Previously, there were recommended codes of practice for fair processing but the new emphasis on transparency will make Privacy Impact Assessments mandatory for high risk processing after May 25th.
However, the general consensus is that, whilst GDPR will force organisations to build privacy and security into the design process, it will also provide a useful framework for developing best practice around cloud surveillance, the IoT and other emerging technology. And, being less prescriptive than the Data Protection Act, GDPR could incentivise innovation in compliance and cybersecurity. Rather than an unaccountable, invasive ‘eye in the sky’, it’s an opportunity to enhance the industry’s public image as a valued, trusted service.
GDPR help for Fire and Security installers
Consult an expert – but be careful. As with any ‘new’ thing, there are a lot of people jumping onto the bandwagon and passing themselves off as experts.
Always check credentials and get recommendations from people that you trust – who have actually used the services of your chosen GDPR practitioner.