On 25 May 2018 most processing of personal data by organisations will have to comply with the General Data Protection Regulation (GDPR). This legislation replaces the Data Protection Act and will have far reaching consequences for how institutions collect, process and store data. Individuals will gain greater rights and control over their data. This will put a significant burden of compliance on practically every company that relies on personal data.
With fresh reports of data breaches and cyber security failures seemingly in the news every week, the legislation is in part aimed at ensuring institutions take more care over their obligations to safeguard customer data.
Larger organisations such as banks or retailers have been preparing for GDPR for some time. I know one high street bank that has multiple teams working on different parts of their operation supported by offshore resources in an effort to ensure GDPR readiness. But not all organisations have access to the same level of effort.
A survey by Forrester Research, suggested that 80% of businesses would not be compliant by the deadline. This was backed up by a survey of small businesses indicated that only 6 percent of organisations were completely ready for GDPR. Worryingly 67 percent admitted they were ‘not close to being ready’. That is a significant number of organisations for whom the fixed deadline in less than four months, will fast become a harsh reality.
In my experience, there is still a lot of confusion around GDPR and some organisations are struggling to navigate their way through the various steps to ensuring compliance.
For some, preparing for GDPR represents an opportunity. It has been a catalyst to review processes, technology, platforms as well as help drive greater digital transformation of the business.
But for others, particularly the smaller organisation, ensuring GDPR compliance will be seen as a burden and an unnecessary overhead.
With fines that could rise to as much as 2% of turnover or €10m for data security breaches, this is one regulator that appears to have the teeth to match its regulatory bite.
It is clear that the regulations go much further than the protection of data enshrined in the original Data Protection Act.
Organisations that are still looking for help with GDPR compliance often start with Information Commissioner Office (ICO) websites. However, smaller businesses are struggling to find the time required? I know of one business that tasked a software implementation specialist who wasn’t on a project with becoming their GDPR expert.
Where can you turn to for independent advice? There are no qualifications for consultants or companies that claim to be GDPR experts. No-one has to sit an exam or pass a theory test in order to be show a certain level of GDPR expertise.
It reminds me greatly of the Y2K debacle at the turn of the century as businesses were faced with the doomsday scenario of all of their IT equipment ceasing to work properly due to many systems supposedly unable to cope the change of data to 01/01/00. Most businesses were barely affected and those that benefited the most were the Y2K expert consultants looking to fleece, I mean, assist organisations with their Y2K challenges.
Take a look at the website of any company claiming to help with GDPR and quite often they have an agenda of their own to push, be it selling more consultancy services (not an issue in itself, everyone has to make a living after all), or the provision of software or solutions that will help ensure compliance.
GDPR is such a huge topic that organisations should look for product agnostic consultants or suppliers who are able to offer the most appropriate technology solution according to the specific business requirements. This might be to recommend the best secure firewall, multifactor authentication, biometric security, or encryption technology for example.
It might make sense to some companies to choose to work with a single organisation that can both advise on GDPR compliance as well as supply the necessary solutions. However, in most cases it is likely to be beneficial to have a more independent guide to help you through the GDPR maze.