25th May 2018 is the deadline for business to comply with a new set of regulations governing data gathering, storing and security. The General Data Protection Regulation (GDPR) pulls together the plethora of data privacy laws and guidelines into one, neat package.
The noise around GDPR has meant that everybody and anybody claims they can help your business be compliant. All you need to do is follow the 12-point plan and there you have it. On the face of it, this sounds like a plan, but, in reality, unless you are looking to take data protection to the heart of your business strategy, it is likely to be ineffective.
GDPR and Realism
As compliant with GDPR as you may be, it does not protect your business from a data breach and, more importantly, it doesn’t protect you from the impact this kind of breach will have on your business.
And so, with this heavy dose of realism ringing in our ears, what is it that you should really be looking at?
Non-compliance comes with heavy fines that would place the brakes on your business development. But data breaches – and your inability to handle them – will affect share price and value, lead to potential action from disgruntled customers and employees who may also be affected, as well as diminish hard-won customer trust.
Compliance will not stop breaches but when you pull data safety and security into business strategy and prioritise it, you will by default, be in a position to handle such calamities better than if you ‘just comply’ with GDPR.
It’s time to stop dancing around data security and make it a core principle of your business.
Time to Get Really Serious
There are many organisations – large and small – who are not currently compliant with the Data Protection Act and there are many more businesses who are nowhere near GDPR complaint. It will take time, effort and commitment.
Regulations are full of grey areas, with GDPR being no different. But there seems a more serious intent on the part of regulators to enforce these standards, highlighted by the fines for non-compliance, up to €20 million or 4% of your global revenue. As always, ignorance is no defence in law thus, your business is expected to be compliant by May 2018.
When a set of standards is presented to us, the common approach is to ‘pass the test’ and ‘tick the boxes’, basking albeit for a short period of time in our ability to meet the regulations. But then, the real works starts.
Buying in Expert Services
Until grey areas are clarified with legal challenges, debated and contested, businesses are left in a position where they need to tick the boxes. And with GDPR being a new set of goal posts, and data protection not always being what it should be, it is commonplace for businesses to look to experts.
But what is the market telling us? Cheap and cheerful, a ‘few-hundred-pounds and we guarantee or promise GDPR compliance’ services are best avoided. It took years for the European Union to agree on a set of guiding principles and with the policy running to some 260 pages, you do need to question whether these cheap services are worth the money you pay, regardless of how little the invoice.
A consultant working in this field – or a consultancy agency – needs serious practical knowledge and experience, as well as a heightened sense of business acumen to truly understand the impact of GDPR on a business.
Buying in Software
Another approach is to buy in software that purports to ready your business for GDPR. Again, there may be some mileage, depending on the who, why, what, when of the development of these systems.
But again, there are blinkers to this approach. Understanding how you can encrypt information may seem like the solution, but in reality, it is but a small portion of what GDPR is all about.
This also suggests another problem – GDPR compliance and the reality of it, its impact and so on, means you need to really understand your business and the role of data within it. Unless you are taking a holistic approach, you are not really making any headway or changes.
The Skills Gap
The headhunt is on. The rigid application of GDPR means that you may (or may not) need a Data Protection Officer (DPO). There is a skills gaps – a chasm if you will – of the people who have the right skills, knowledge, experience and qualifications.
There are two options:
- You join the headhunt race and look for a DPO that has the battle scars and the qualifications to be an effective addition to your team
- You outsource data protection to a third party, equally as knowledgeable, skilful and battle-scarred.
Battle scars in terms of data protection relate to mistakes but have gone on to succeed. There needs to be a depth of understanding, as well as a level of application that means it is part and parcel of how your business operates effectively, and not just ‘ticking a box’.
Doing it Right
Ticking boxes, running off-the-shelf software, paying someone to make sure you are just GDPR compliant is not doing it right. For some, it is taking a significant risk that could leave you wide open, still, to the hackers, attackers and breaches that embarrass and cripple a company.
The only way forward is to embed GDPR and data protection within the business strategy. But retrofitting is expensive and cumbersome; essentially, you need to look forward and take action now.
Yes, take the quick wins of being GDPR ready but don’t rest on your laurels. This is an opportunity to change and adapt, improve and evolve.
Data protection is a hidden fault line in your business.
GDPR is the chance to identify it, acknowledge it and plan for the disaster that could come your way.
For more information on GDPR, take a look at the Information Commissioner pages or use their newly launched helpline 0303 123 1113.