It may require a leap of the imagination, but it can help to think about the EU’s General Data Protection Regulation (GDPR) in a similar way – a chance to get sorted, get rid of the clutter and focus on what’s important. Personally, I can’t remember another security and data protection initiative that has focused the mind and led to such engaging and open conversations, which can only be a positive step forward.
Coming into effect on 25 May 2018, GDPR applies to any organisation that processes the personal data of EU citizens regardless of where they are situated. Brexit won’t let UK companies off the hook either as the government has announced that the legislation will be brought into UK law too.
GDPR enhances and extends current privacy laws. For example, existing data subject rights to receive a copy of data and the right to rectification are extended with shorter time limits for compliance. There are also new rights such as the right to erasure (although these aren’t quite so broad as the much-discussed right to be forgotten) and to self-report any breaches. In all, it covers around 300 pages, which at times lapse into vagueness, so despite its importance it is very much open to interpretation.
However, potential fines have been described as “eye-watering” and the risk of being found as non-compliant has focused minds around this issue of responsibility. Often this is landing in the direction of HR and payroll.
While having GDPR responsibility may in the short term appear to be a burden, I believe most employees will rise to the challenge, transforming a chore into a positive initiative. The creation of rigorous guidelines for personal data, will then act as a template for other data held such as information on customers and prospects.
Each business will have to work out how the legislation applies to them and then work out processes and procedures surrounding the changes. This will mean writing policy, creating processes and communicating them so that everyone can follow. Every business function has done this at one time or another, but in my view, GDPR is creating better behaviours through the requirement to be even more transparent.
The extended transparency requirements of GDPR mean, in practice, communicating the “Who, What, Why, Where, When and How” data will be processed. Getting this clear and being able to communicate it simply is one of the key challenges of GDPR but it also leads to one of its most engaging benefits. It is leading to many policies that may have previously been developed in silos and kept internally being much more openly shared, allowing greater collaboration and producing better material.
We need to remember that every organisation is going through the same process with their colleagues, with customers that they process data for and with all relevant suppliers. This is leading to significant interaction, which when done correctly, leads to daily opportunities to share best practice, benefiting all involved. From experience, I know that this legislation is forcing organisations who have potentially done business over a long period of time, in an almost anonymous fashion, to begin to interact again and line up on expectations and if necessary working together to ensure they are fulfilled.
Once best practice has been established around personal data, it must be remembered that GDPR is still a business-wide challenge and privacy and security measures need to be integrated into processes across the board. When this is executed well, it will be a great opportunity for business to really engage with their colleagues, customers and suppliers, building stronger more trusting relationships along the way.
Overall, it’s important not to focus on the fines for non-compliance, but rather the positive results – the focus on driving greater collaboration between the internal units of the business and also externally with customers, partners and suppliers. Those who can lead the way, championing this positivity and showcasing their expertise in data issues could do well out of GDPR.
We’ve been working with our customers who are implementing GDPR for a while now and the level of activity is ramping up now May 2018 is in sight. There’s no doubt that adoption is not just about data security but it’s an opportunity for cultural change and a new way of working.
It’s a good opportunity to get your data in order, review processes and eliminate the dead wood. Unless we meet these crossroads from time to time – or mislay that sock – these tasks may never happen and we don’t ever know how much more rewarding it feels to be on top of the game.
