Business Knowledge

GDPR one month on…

Posted on Wednesday 11 July 2018

The view from three of our members … if you would like to contribute, please contact editor@theicg.co.uk or add your comments below.

Nanda Marchant – added insight ltd

As someone who doesn’t do recruitment myself, GDPR is perhaps less of a headache for me, and more a case of reappraising and continuing previous good practices such as:

  • shredding/deleting records after use
  • not being sent any more personal data than I actually need
  • password protecting a file with focus group respondent details in
  • saying simply ‘interview 1’ etc on audio recordings rather than an identifier

I think that is what would be reasonably deemed by the ICO as taking sensible precautions and I am not intending to go drastically further than this.  I feel I can sleep with a clear conscience knowing that the steps I take are commensurate with the type and amount of data I handle.

I’m not intending to get a security system the size of Fort Knox or grill the mighty Dropbox about exactly which jurisdiction their files are held in, etc (unless an absolute client requirement).  I find it hard to believe that the ICO (or indeed a respondent) would have either the time or inclination to take me to task over it.  Yet the huge amount of noise around it in the run up to D-Day could certainly make one feel under real pressure to do all these things.

I have tried instead to resist such panic.  Excuse my rash and gung-ho attitude, and maybe I’m now going to hell in a handcart, but I am heading towards retirement and can do without too much hassle of spending many days on training, systems and extra procedures and documentation where I feel they are over the top.  Especially when I see a lot of hypocrisy here.

For example, I work with several large agencies, one of whom asked me to sign in blood that I will follow everything in their legal agreement on GDPR to the letter, right up until clause 32.4.  I was going to argue over it but in the end just signed to say I understood my obligations, swore my undying allegiance to them and the queen, etc etc.  Then they swiftly proceeded to send me a load of respondent names and personal details, totally un-password protected in an email – talk about double standards!

This week is my 16th anniversary as a consultant.  I have survived all this time without a complaint about recklessness and data breach.  I believe very much in respecting confidentiality, taking great care with sensitive data and all that good stuff, but GDPR hasn’t changed that.  Yet I feel sorry for recruiters and others out there who have done the same but are closer to the front line of now having to go through ridiculous hoops, when surely these laws were really intended for the kind of outrages breaches seen by the big corporates, not us hard working little independents!

Footnote: I have just met with my accountant and asked him about GDPR. He was pretty much shrugging it off as not affecting him, despite walking round with all my sensitive financial information, how much profit I make etc, with little thought about data sensitivity. So despite my flippancy, I feel I’m maybe further ahead and more cautious than some other small businesses, in fact he asked me if he could filch a copy of my GDPR policy!

Mark Lasbury – Ampersand Research

No real effect on our business, apart from in the run up of getting systems and documentation in to place, the occasional extremely complex and confusing contract from large clients to examine and the deluge of opt-in emails to ignore to help rationalise our inboxes.  Thankfully there were a lot of great resources available.  I have worked with Suzanne Dibble since we launched, and known her for many years before that, and her programme was immensely helpful.  It was a great exercise to reassess our system, and ensure that we were only collecting, using and storing data when absolutely necessary.

What effect do you anticipate in the future?

Probably a lot more complex contracts from large clients to examine in detail

How much is GDPR being discussed/mentioned/implemented in your working life?

It doesn’t get mentioned a lot any more – very much like the millennium bug – all the panic seems to have subsided.   All of our clients and suppliers ensure it is being followed, and processes seem to be in place. 

How did you feel about it pre-25.5 and how do you feel about it now?

We were a little concerned, but had been learning about it for a year in the run up to it and planning our systems for 6 months prior to implementation.  We were never really worried.  We have always been very careful about how we collect, use and store data, so it was a case of tightening up a few systems.

What extra support do you need (if any) going forward?

I can’t foresee any at the moment, unless someone wants to volunteer to go through some of client’s contracts in detail for us – some of them are excessively long winded!

Claire Labrum – Strictly Financial

We knew that GDPR was coming for some time, so nothing was a surprise or shock.  Over the past year we have been gradually 'learning' more about it and deciding what action we needed to take to comply – using the inevitable business 'downtimes' to read and investigate the implications.  We subscribed to Lesley Cooley's course (very useful summary), as well as used the resources that the MRS published to help us decide on a suitable course of action.

My initial response was 'more red tape' – but once I looked at it in more depth I saw a lot of sound principles encompassed in the legislation – if it were my data, I would like to think that companies were taking the same basic precautions to protect it.  I was also really encouraged by the help and advice posted by the ICO, and their clear attitude that this is not a witch hunt, but more about companies taking sensible steps to protect the data of individuals.  Quite right!

On reviewing our processes, the big finding for me was the amount of unnecessary data that we held.  When a job completes, you move on to the next urgent task and don't necessarily review emails, job files and the dreaded default 'download' folder to check and delete files.  It also challenged my 'hording' mentality – do I really need to keep all of that information and primary data (audio and video files, transcripts) on a job that is several years old 'just in case', or just the key documents?  A purge of our files was actually quite cathartic, and freed up a lot of space on our network!

We have had some 'silly' requests, and a few clients have sent through 'enhanced' paperwork which has required more time – but I feel that this is now part and parcel of running a business in the digital age and we will soon adapt.  I have to admit I am still a little hazy as to whether (and when) we are a data processor or controller (as we flip between the two) so my approach is to cover both bases in our paperwork.  I have also taken a pragmatic approach – for example with signature sheets and contracts with our regular suppliers – I think that if we were ever 'audited' the fact that these are in place at all, coupled with our other 'good practice' will be enough to show that we are taking our obligations seriously.  

Looking forward, I think it wil be business as normal…