As an organisation, we’re responsible for the personal data of millions of company officers, and hundreds of staff. As such, our GDPR journey was never going to be a quick and easy one. But, it’s certainly been very interesting.
Our main priority is protecting our customers’ data and information, as well as protecting our own information.
Our GDPR journey started way back in May 2017. For those who are not aware, the GDPR was passed by the European Union in April 2016 and has a far-reaching impact on data security. It now means, any organisation that does business with EU citizens must comply with the GDPR's expanded and more stringent data protection rules. And, it sets out the lawful way Companies House as an organisation, and its employees, should store and manage data.
The deadline date is 25 May 2018. All organisations, including Companies House, should be compliant by this date.
I’ve learnt some important lessons during our GDPR journey. Firstly, GDPR is new for everyone – not just Companies House. And, it’s taken me time to understand the law and its implications for the public register, and for us as an employer.
Secondly, I’ve learnt the importance of having senior level buy-in from the outset. Providing them with clear and accurate information at the earliest opportunity, means we now have a senior team that really understands the GDPR and its challenges; as well as the opportunities it brings.
Unfortunately, I’ve seen plenty of inaccurate information in the media. There’s been lots of scaremongering around GDPR. As such, it was important for me to bust the myths, and reassure colleagues that it’s not as scary as they think. It does not mean we need to suddenly get consent for statutory processing, and it does not mean the end of the public register of companies.
Another lesson I’ve learnt, is not to underestimate the size and complexity of the task. I quickly realised that the GDPR requirements are wide-ranging. Recording all the processing of personal data that happens across the organisation was an enormous manual task. It took a lot of time and plenty of debate, but we got there in the end!
Working closely with other executive agencies, especially our sponsor department, BEIS, has helped to establish solutions and agree best practice. I’ve found this teamwork to be extremely useful.
Over the last few months, I’ve been part of a working group with policy and communications colleagues. One of our aims was to increase GDPR awareness, and the actions needed to comply as an organisation. Together, we developed a fantastic campaign involving bright colours, retro characters and memorable messages.
The 5 key messages of the campaign are:
- everyone is responsible for protecting personal data
- spend time ‘housekeeping’
- know how to recognise and report security incidents
- know how to recognise GDPR requests and who to notify
- help Companies House remain compliant through good information management
We held a GDPR information event for staff in January 2018, which coincided with International Data Protection Day. All Companies House staff were invited to find out more about the campaign, and how the new GDPR affects their teams.
The campaign itself launched on 21 March and was extremely well-received, with many departments and individuals requesting further information. The information rights team will now begin a Companies House ‘tour’, attending team meetings across the organisation to continue to support and reinforce these GDPR messages.
So, in summary. The GDPR law is complex, wide-ranging and brand new. But, the team and I will continue to embed its principles into our everyday work – protecting you, our customers, and protecting us.