We have already pointed it out, but it is worth restating that, the EU’s General Data Protection Regulation comes into force on May 25th, 2018. While it is a challenging new regulation it also offers plenty of opportunities for Businesses of all shapes and sizes.
It’s obvious that most firms aren’t rushing to become GDPR compliant. Many of the firms we speak to haven’t even heard of GDPR and a large percentage that have, do not see compliance as a priority. Indeed, smaller and mid-size firms tend to think they will never be caught or, if they are, will negotiate their way out of trouble. The divergence of attitudes and lack of preparation clearly indicate that many business leaders don’t know what’s about to hit them.
For those firms that are preparing, there is evidence of a difference between what Business leaders think GDPR means to their firms and the actuality of the situation. This is often due to a misunderstanding of how you interpret the GDPR rules and then implement them. GDPR is not just a privacy compliance issue. It has far wider consequences and impact across your entire business. It touches business processes, record keeping, data lifecycle management and much, much more. The confusion starts with the problem of identifying what personal data is and more specifically the difference between personal data and sensitive personal data. In past Data Protection laws this was never entirely clear. However, it is something that is very clearly defined in the GDPR regulation.
The larger a firm is and the more geographically distributed it is, the more difficult it becomes to identify and locate PII (Personally Identifiable Information) A key factor to understand is that any resident of the EU (even non-citizens) have a set of basic rights under GDPR that include requesting copies of the PII you hold on them, correcting that PII and, if they wish, forcing you to certify that you have erased their PII from every system and database — including all backups and archives. Your failure to comply with these requests in a timely manner will cause you to fail compliance. If you can’t even find the data, you are never going to prove compliance.
An Opportunity to save costs
Looking at this issue from the other side indicates a massive opportunity for your firm to rationalise your data storage and reduce the costs of storing redundant, obsolete and trivial data that is of no consequence to the normal operation of your business. Indeed, we have worked with firms that store terabytes of data at great cost but have never processed any of it. Simply deleting and destroying this data has reduced the As-Is spend of IT infrastructure significantly. I know that deleting data goes against the grain but if you could save 40% of your data storage costs and speed up processing would that not be a big win?
The management of data is a key facet of the GDPR regulation. Every firm we work with, think they are good at it but it soon becomes apparent that significant portions of their data assets are obsolete, inaccurate or simply not required to operate the business. GDPR is going to put business policies, processes, and procedures for such management under the microscope. This includes document management systems and paper based filing systems.
Time is running out
Firms have been given 2 years to prepare for GDPR. The two-year transition period runs out on May25th 2018. Once the requirements of the regulation are clearly understood by the firm’s leadership, most firms, even the smaller firms, will tell you that achieving the encryption, the security and records management standards required under GDPR is so big that they are unlikely to be compliant by the deadline.
A state of shock
Most business leaders are in a state of shock and wish they had taken GDPR seriously at the commencement of the two-year transition period. 25th May 2018 is only a few months away. What could you be doing now to prepare for GDPR?
Our recommendation is to make your senior leadership team aware of the problem. This is achieved through a short education session that drives towards board level consensus. Once you have achieved consensus we can help build a risk register so that you know the gaps and your appetite for consuming the risk. From here we can create your roadmap to data rationalisation and GDPR compliance.
It is important to note that the responsibility for GDPR compliance lies across your entire organisation but the accountability lies solely with the Board.
Action on GDPR should start now and don’t make the mistake of thinking this is simply about hiring a security officer or moving your data into the Cloud where it’s somebody else’s problem to secure. GDPR changes everything!
The regulator has already stated that it will issue the biggest fines to firms that have ignored the regulation so we need to have evidence that if you are not compliant after 25th May you are at least taking appropriate action to become compliant.
If GDPR is worrying you or if you simply are not sure how GDPR might affect your business, we are here to help. We are happy to set up a short, no obligation call to help you understand the implications of GDPR on you and your business.