This month the Meetings Industry Association (mia) hosted a Business Breakfast event to hear events marketer Hellen Beveridge discuss what the General Data Protection Regulation (GDPR) will mean for the sector, ahead of its enforcement date on 25 May 2018.
Over 60 members travelled from around the UK to Bush House, King’s College London, to find out what the new legislation will have in store for collecting and storing data and whether appointing a Data Protection Officer (DPO) is necessary to avoid possible fines.
Hellen Beveridge admitted she has been living and breathing GDPR legislation to help better prepare businesses for what is to come. The UK is seen to be behind when it comes to the transition over to the new legislation, with some businesses still unaware that they must be fully compliant by May 2018, or risk facing fines up to EUR 20 Million or 4% global annual turnover.
The current Data Protection Act (DPA) has long been outdated, having been enforced in 1998 before the rise of the digital age and the popularity of social media. This necessary move will ensure that the privacy of individuals is better respected and a new level of trust is built.
Hellen explained that smaller businesses should be aware that no one is exempt from the risk of security breaches, especially if you’re sharing information that isn’t encrypted, storing work data on personal devices or destroying data incorrectly.
She also discussed the possibility of being targeted by hackers. It’s a problem for all sized businesses due to what is referred to as a ‘honeypot’ of information, where hackers will gather small pieces of information from lots of sources (known as ‘harvesting data’), such as names, addresses, bank details to then sell this information on.
Hellen advised that all business owners should conduct a full data audit and destroy any information that will not be compliant, ahead of the enforcement date, outlining that ‘data is very difficult to destroy, but the legislation says that you need to make a reasonable effort in proportion to risk and sensitivity of the data you are handling.’ Hellen explained that those with low risk portable data, paperwork for example, can be physically shredded if that paper is then disposed of correctly. The same applies to digital files, where they can be deleted from your computer but that the rubbish bin also needs to be emptied, to ensure the files cannot be recovered.
For those looking for a simpler way to store their data, a SQL database might be beneficial. Hellen recommended that this is the easiest way to store and remove data because the backups eventually get overwritten. She explained that it is ‘important to remember that some people never want to hear from you again, so it is important to maintain a global suppression list to ensure that their information doesn’t end up on your database again.’
Hellen went on to discuss that there is the option to appoint a DPO but that this isn’t necessary unless you are either a public authority, or one that deals with the collection and processing of sensitive information, such as criminal convictions and offences. She did mention however, it would be a good idea to appoint someone within your company who can attend a course to learn more, as this is a living document and will be important to stay current on what any future changes will mean for businesses.
The key message Hellen delivered to delegates was to start ‘thinking of data as people’, to change the perception and attitudes around collecting, storing and deleting data, as the reputation of the business owners is now on the line.
For more information regarding GDPR, visit https://ico.org.uk/