- Individual Membership
- Student Membership
- Apply online
- Code Of Ethics
- Upgrading your membership
- Become a Fellow of IIRSM
- Explore IIRSM's risk management and leadership competence framework
- Meet our Members
- Membership benefits
- Membership terms and conditions
- New member magazine coming soon
- Working in partnership
- Training & Events
- Products & Publications
- Branch Network
- Info Hub
- Working together
12 Reasons why an IT provider doesn’t ‘do’ your GDPR for you
Date of Issue: Tuesday, 3 September, 2019
Representing the biggest change to data protection laws since 1998, the General Data Protection Regulation (GDPR) forced businesses big and small to evaluate how they were collecting, storing and processing personal data.
Depending on your systems and processes, complying with the GDPR isn’t quite as burdensome as some would have you believe, but it has led to some rather worrying assumptions.
The most common we hear at conferences and when speaking to customers goes along the lines of, “oh, the GDPR? Yeah – our IT provider takes care of all that”.
If that’s a phrase you’ve uttered yourself, here are twelve reasons why your IT provider isn’t taking care of your GDPR compliance.
1. They’re not accountable for anything that goes wrong
Accountability for GDPR starts at the very top of the organisation. It’s the law. If – and we hope this never happens – you suffer a data breach, your business is accountable for the loss of data.
There may well be a few links in the chain, but you’ll always be ultimately responsible. Your IT provider? They’re not the ones requesting or using the data.
2. They won’t deal with the ICO
The Information Commissioner’s Office is the body that enforces the GDPR. Your business will need to register with them, pay the renewal fee, and notify them in the event of a breach.
Your IT company isn’t responsible for any of the above.
3. You’ll need to write the privacy notice
IT partners are there to set up your internal systems and networks, configure email and be on call if something stops working – they can’t be expected to get into the legalese of privacy notices.
Your website should display a privacy notice that outlines the why and where you collect, store and process personal data, how to contact you etc and it’s up to you (or your legal team) to write it and use it.
4. They’re not responsible for supplier relationships
If you partner with other businesses or suppliers, it’s crucial they take the GDPR just as seriously as you. But it isn’t down to your IT company to do those checks or ensure the right contracts are in place or that processes across the supply chain are compliant.
5. Access rights are up to you
Assuming you’re storing personal data about clients or staff, you’ll need to ensure you have strict access rights in place on your network.
Those access levels and the people they’re attributed to are your decision. It’s the IT company’s job to implement whatever you decide – nothing more.
6. They won’t have an eye on the old-fashioned stuff
While your IT provider will probably look after the digital systems and platforms that host your data, they won’t be responsible for anything that still resides on paper or previous systems.
This extends to phone recordings, CCTV footage, photos, door entry systems and anything else which contains personal data.
7. Data protection impact assessments are your job
It might sound a little unglamorous, but a data protection impact assessment is vital if something changes within your business, and it won’t be up to your IT company to undertake it for you (although you may ask for their assistance).
8. They won’t train your staff
Although many IT partners will train customer staff members on system use, they’re not obliged to head into the realm of GDPR-compliance.
This is a specialist subject area, and it’s a sound idea to invest in data privacy training to ensure your staff are up-to-speed with the latest knowledge and techniques.
9. They’re not responsible for your HR
The GDPR should be woven into all of your business processes, and that includes HR.
Your HR manual, employment contracts, and any other details of data privacy requirements will need to be written by you (ideally with legal input). Your IT company won’t have (or need) any input on this at all.
10. They can’t control what your staff do
Once your IT provider has set up your system, there’s only a finite amount that they can do to prevent employees doing things they shouldn’t, whether it’s clicking on links, sending an email to the wrong person, stealing data (yep this really happens) or just doing something that they shouldn’t.
This again comes down to training, and ensuring your staff know what they can and can’t do, and the consequences if they deliberately do something which will compromise the compliance of your organisation.
11. They won’t deal with your customers
The GDPR applies to personal data you hold about staff and customers, and the latter may well be in touch to request copies of their data or that it be erased. Customers may also send you supplier questionnaires for you to complete.
Your IT department is unlikely to be in receipt of such requests, and even if they are, it isn’t their responsibility to act upon them. The customers in question are yours, and under the GDPR, you’re expected to deal with them in accordance with the rules and guidelines.
12. Cyber insurance is your responsibility
Got Buildings insurance ? Given that you’re more likely to suffer a cyber attack than a fire or a flood, cyber insurance isn’t required by law, but it’s a sensible investment in the digital age. Cyber insurance is a relatively new product on the market place with new options for cover being introduced every day. It’s there if things go wrong.
However, this is something you’ll need to arrange and renew yourselves. Your IT company might be able to offer some advice, but the responsibility still lands on your desk.
And finally – what if you have your own IT department?
Things are obviously a little different if your IT team is internal, because they’re part of your business, but the buck will always stop with the leadership team and Directors. Therefore, while it’s essential your IT department follows the rules of the GDPR, they’re still not ultimately accountable in the eyes of the ICO if something goes wrong.
The faster you take ownership of GDPR compliance as a business, the less likely you are to fall foul of the hefty fines. You’ll be able to use your understanding of GDPR compliance for competitive advantage.
Thanks to Helen Barge, Managing Director at Risk Evolves (www.riskevolves.com)