GDPR The Whistle-blowers!

GDPR The Whistle-blowers!

We have heard a lot of cynical views around GDPR, especially the comment “it will never happen to me”. Well, we thought it might be worth reminding you who might blow the whistle on you to the ICO.

  • EU Citizens – Any EU citizen that believes they have not given you permission or had notification is at liberty to do this. Recently we heard about a Midlands firm that handled data on EU citizens in another country, the local ICO equivalent was tipped off recently. Invoking a substantial penalty, which has now affected the company’s financial viability moving forward.
  • Employees – I had another comment from an organisation in manufacturing say it does not apply to me as I am in B2B, not B2C. Unfortunately, they are miss-informed as the regulation also pertains to employees as it does citizens. Therefore all the data they hold and how they handle it on their employees come into effect
  • Customers – This could be deemed to be one and the same as citizens but unless a citizen buys something they are not a customer; so perhaps a prospect might be more appropriate. Anyway, if a customer believes that they have in good faith provided information about themselves which is being used in a certain way without their permission, i.e. big data analytics then guess what could happen?
  • Directors – If a director is aware of an activity involving personal data that has not been approved in the way a policy might state. Then they may inform the local DPO of this issue and the ensuing investigation will then follow, especially if they have moved on for various reasons
  • Competitors – Yes controversial as it might sound, if one of your competitors is made aware of inappropriate handling of personal information. Then they could feel "morally obliged", obviously, to let the local data enforcement agency know
  • Cyber – With all the ongoing spate of activity, is it beyond the realms of possibility that there could be a new approach to how this unfortunate action gets affected. If they can whistle blow anonymously in order to cause financial damage and brand reputational impact, do you not think they might do this?
  • Contractors – Many organisations employ part-time individuals. Who might discover, how an organisation handles internal data and also external client data and so could inform the ICO
  • All Controllers – Other controllers may be involved especially where data analytics comes into play and so they may be aware of activity in the way data is processed and therefore in order to mitigate possible actions on themselves may inform the ICO of this situation
  • Processors – It is also stated that the processors could be pursued by the controllers. Ahead of this action they may feel inclined to inform the ICO again in order to mitigate potential fines and counteractions
  • DPO’s – Data Protection Officers will be appointed and be in place and will have two lines of reporting. Firstly being to the board and the other to the ICO so they will be obliged to inform as and when occurrences happen

There are many other scenarios and individuals that will unfold as time moves on. This list is not exhaustive and just set’s the scene, as to some possible circumstances; It is also not meant to be all doom and gloom. GDPR compliance is like doing a math test, some of the marks go toward the working out. As long as you can demonstrate you have started the process, even though you may not have answered the questions correctly you will still receive some of the marks and in this case, potentially minimise the fines.

If you are unsure on what to do next or would like to know more? We can aid you in your journey towards GDPR compliance, click here to book a call with one of our consultants. Alternatively contact us here.