Most organisations – and certainly those we are working with – are aware that the EU’s General Data Protection Regulations (GDPR) comes into force on 25 May 2018. While it’s top of the agenda in many conversations we are having right now, it also seems like a long way off. We would encourage any business to start the education process and not to forget that now is the time to start planning and working to be compliant-ready before that date.
In terms of programme timescales, the GDPR is a significant overhaul of the current data protection regulations, so for larger more complex organisations that collect lots of information in lots of different forms it will take more effort than for smaller companies. GDPR requires more documentation on data flows and operational process, which will take time to implement and embed into day to day business operations. A critical component of the programme is to evaluate the effort and tasks required and to use a risk-based approach to review and implement changes required. That way, if the deadline passes before the programme is complete the organisation will have an immediate view of the outstanding effort and risk exposure they face.
Obviously when it comes to putting a major compliance programme like this in place, while time is of the essence, it all depends on how you put the programme in place. When it comes to GDPR it’s not a serial or linear approach; elements of the programme can run in parallel. But ultimately it comes down to good programme management, subject matter expertise on GDPR and its requirements.
What are we advising our customers at this stage?
- Data discovery and recording of the data flows is probably the biggest part of the job, especially in complex organisations where they have legacy systems and a variety of interfaces where they are capturing information.
- Education is critical. If you have a compliance office already in place, they need to be educated and up to speed and ready to hit the ground running. They will also need to be able to educate the business on the key requirements of GDPR and how it may affect business operations.
- One area that will cause lots of challenges is data portability and the ‘right to be forgotten’ - the ability for someone to ask for their information to be removed or transferred relies on it being on a commonly used format. So some of the legacy information and systems we see needs to be reviewed to ensure it can happen within the timescales. Remember this goes across all media forms, whether it’s voice, data, images, and so on.
- Last and definitely not least is incident response. The ability to notify within the new 72-hour window (set out by GDPR replacing the current non-mandated system of breach notification) will present real challenges, so legal counsel may be required. And, when incidents do occur, they don’t always happen between 9am and 5pm when people are in the office, which may cause problems for some.
Our advice to clients is don’t wait. It's like throwing a stone in the ocean. The longer you leave it, the bigger the stone is and the more waves you are going to get in the organisation. Until eventually the fines comes in, and then it's tsunami time rather than a manageable ripple.