Merchant GDPR Compliance will be more driven by supply chains than the ISO  


Andy Flinn11 December 2017
Andy Flinn of RDS Global talks about the forthcoming GDPR Compliance Law:


As we approach the legal deadline (May 2018) for all builders merchants to comply with the law regarding data protection, many of us may feel overwhelmed by the legal speak around GDPR compliance.  

Smaller businesses can feel blinded by the volume of information now being pushed from all angles, mostly from the legal and professional services seminars, and may sideline or ignore this issue in the belief that smaller businesses will duck under the radar of the Information Commissioners Office (ICO)  police. 

This may be true for a while, but as the months pass, non-compliance will be highlighted by the supply chain well before the ICO gets its hands on your organisation  

The GDPR law is specific, not an option and will be enforced by the ICO on an increasingly rigorous basis. Larger customer organisations are now well prepared and have plans to be certified compliant by the deadline. The supply chain, eventually reaches YOU.  

Customers and suppliers will insist on your certified compliance to continue to do business with you. Remain non-compliant, and you will lose those customers. It is this pressure and requirement that will drive the take up of GDPR compliance, leaving the ICO to monitor and take action where the supply chain highlights. The ICO are now being funded, and are taking on inspectors and other staff.  

However, going forwards, the ICO is gearing to become a self-financing organisation, which means that they will need to impose fines in order to fund themselves. This is bad news for businesses who will become targets for the ICO.  

Many articles stop at this point, getting across the general issues of GDPR compliance, and focusing on the big picture only. We thought it was high time we now got specific, and help you by illustrating just some of the specific points that you must consider to become compliant.   

Data management starts with the identification of what data you hold. This takes the form of multiple databases, your contact software, email software, and any ad hoc tools that have sprung up over the years that you use for marketing. This takes many forms, and at board level you may not even be aware of the existence of this data, driven by your teams, helpful today, but not compliant tomorrow.  

Then there is the matter of hard copy, paper based records. These are included in the GDPR, so long forgotten documents fall into the remit of the ICO and GDPR framework. Do you understand where these are held, and who has access to them?  

Access to data records is critical, as “sufficient controls” must exist to protect the data subject. Do you have controls over the place where data is stored, and who has access to it? Storage of data on people’s local PCs has previously been highlighted as a security problem, but GDPR places a board level responsibility, to ensure this is controlled/audited by you.  

Moving to the relationship with your suppliers and customers. Do you understand their compliance, the legal relationship to control the sharing of data, and your control over this process?  

GDPR compliance is not an option, it becomes law in May 2018. Your business must comply to avoid the well-publicised fines and penalties.  

This is NOT just an IT issue, it is a board room director-led matter, then will either promote and drive business, or in the case of non-compliance, will drag your business down, lose you customers and reduce your profits.  

Don’t delay. Establishing an early audit is the first step. This will provide you with the facts about your business, and help you decide next actions. Doing nothing is not an option if you want to do business in 2018.    

For more information about the BMF’s new Cyber Security service, helping members to reinforce information security and to comply with new data protection laws which come into force in May 2018, click here or contact Richard Ellithorne for more information at [email protected].


This article appeared in the winter 2017 edition of One Voice