18 | JUNE 2018
News
Read online at www.proinstaller.co.uk
3 TOP TIPS IN
UNDERSTANDING GDPR
GDPR seems to be on everyone’s lips and a recent business
survey revealed that it’s overtaken Brexit as the top
concern of businesses. Benjamin Dyer of Powered Now
looks at what is and isn’t important and provides some
practical tips for dealing with the GDPR conundrum.
GDPR (the General
Data Protection Regulations)
is in force from 25th May
2018. With the maximum
fine for breaking the rules
being €20m or 4% of sales,
whichever is higher, the
authorities have plenty of
ammunition for getting busi-
nesses to take it seriously.
At the same time there is a
lot of rubbish talked about
GDPR. In this article I will
try to unpack some of the
main points.
Whilst for most installers
GDPR does not represent
a big threat, for Powered
Now it’s different. We have
to take it very seriously as
we already have hundreds
of thousands of personal
records in our system and
aspire to have millions. As a
result, we know a lot about
it.
1. Remember,
GDPR is not that
unreasonable
We have been conduct-
ing quite a bit of training
recently on GDPR. We start
by asking our people about
the company they most
dislike. Then we tell them to
imagine that this company
has their personal details.
Then how would they like
that company to treat those
details? We’ve found that
the very things they say, like
not passing their details to
third parties without their
agreement, are the core
GDPR principles. That’s
fascinating.
It’s worth noting what
those core GDPR principles
are, relating to personal
details which must be:
• Collected and used for a
specific reason;
• Limited to what is nec-
essary;
• Kept accurate and up
to date;
• Kept only as long as is
necessary;
• Protected from hackers
appropriately;
• There must be a public-
ly stated lawful reason
for the processing.
This is all quite reason-
able.
The Information Com-
missioner’s Office (ICO),
which is the UK government
organisation tasked with en-
forcing GDPR, says that they
won’t fine businesses that
have tried to comply but
got something wrong. There
will just get a warning. They
also say that fines won’t be
big enough to put offenders
out of business. Again, that’s
reasonable.
So, what should you do,
given that the rules apply
to anyone storing personal
data on paper or computer?
That includes pretty much
every installer.
Well, with over 5 million
businesses in the UK all
of whom will store some
personal details, the ICO
won’t be focussed on small
businesses for quite a while.
However, even under the
old regime a nursing home
that lost just 75 personal
records was fined £15,000.
To get an idea of the actions
the ICO can take, you can
look at their enforcement
record on their web site.
I found it amusing that
among those slapped on
the wrist for data violations
were three police forces and
the justice department!
Reporting any data loss of
personal details to the ICO
is mandatory. Having said
that, installers don’t store
any of the sensitive personal
data like medical records,
sexual orientation or po-
litical views, nor hopefully
do they store payment card
details. Smaller companies
tend to have hundreds of
customer records, not tens
of thousands. All of this
makes them much low-
er risk than many other
organisations and therefore
of much less interest to the
ICO who have much bigger
fish to fry.
2. Get your simple
cyber-security right
Leaving aside the detailed
regulations under GDPR,
you should make sure you
do take several basic precau-
tions to protect your data:
• You should make sure
all of your computers
are secured with a
non-obvious password,
especially laptops
which can easily be lost
or stolen. You should
not use the same pass-
word on more than one
machine or account.
• You should try to use
software from serious
companies that know
about GDPR and have
people dedicated to
security.
• If you have a computer
network, it should be
“locked down” with
a firewall that doesn’t
allow anything nasty in.
Your local IT company
should be able to help
with that. If you are a
larger company, you
should have penetration
tests (“pen tests”) per-
formed by a third party
to check if you have
any obvious vulnera-
bilities for hackers to
exploit.
• You should have up to
date anti-virus software
on every machine.
• You should make sure
both you and your
staff are aware that
any unexpected or
unusual emails are
suspect. Spoofing an
email address so that it
appears to have come
from the boss is a com-
mon technique used by
fraudsters.
• Personal data, including
email addresses, should
never be left around
on memory sticks and
particularly not on web
sites.
• Update all the soft-
ware you use on your
PC, Mac and mobile
devices when you get
offered the chance. All
software companies
are constantly fixing
security vulnerabilities
and you put yourself
and your data at sig-
nificant risk when you
stay on old, vulnerable
versions.
These precautions will
hugely reduce your risks
under GDPR. It’s also plain
good practise for your busi-
ness too as it reduces your
risk of being hacked and
extorted, which can be very
painful.
3