The incoming General Data Protection Regulation (GDPR) with have a seismic impact on the way organisations in both the public and private sector operate. With the enforcement deadline of 25th May 2018 approaching fast, the time has come to face up to some harsh realities about the complexities of compliance and the consequences of failure.
This week the Parliament Street think tank unveiled new research around how London councils were preparing for the legislation. Key findings included an allocated budget in excess of £1.2million for preparing local authorities for the legislation, with some spending up to £300,000 to get their operations in shape before the deadline.
What was most interesting about the report was that it provided a breakdown of how each council had allocated its resources, including spending on staff training, software, consultancy and internal readiness programmes. All these elements are essential for preparing an organisation for the GDPR, but many companies feel increasingly under pressure to deliver them.
Part of the problem is that there is no standard solution to achieving complete compliance. Businesses are complex and make use of data in different ways depending on the size and scale of the organisation.
To make matters worse, the race for increasingly digitised customer data has left many organisations information-rich, but compliance poor. In terms of specifics, they have no idea how much data they manage, where it is being used and how it is processed.
Suddenly, they are being told that failure to deliver rigorous data compliance will lead to severe consequences. Fines worth up to 4% of annual global turnover or €20 million (£14 million), whichever is higher, imposed on companies for severe violations.
It's also worth emphasising that the effects of the legislation will be felt worldwide, impacting any organisation that processes the data of EU residents and affecting UK companies once the Brexit process is complete.
The simple fact is that many businesses are, at best, likely to be in the early stages of their GDPR readiness programmes. This means they still have scope to change budgets and divert resources to improve their approach, making life easier for everyone.
So instead of hoping for the best before descending into panic, it's time for business leaders to initiate a GDPR wake-up call across the organisation so that employees at all levels understand the challenges ahead.
To achieve this, there are three key recommendations I can offer to help companies prepare for one of the biggest tests they have ever faced.
The first is to get to know your data. If you have even the slightest doubt about the information you oversee, it's time to conduct a complete audit of your data assets, so you have full visibility into what you manage, how it's categorised and how you use it. Digitising and filing your data as part of a pre-GDPR spring clean is not enough, you cannot be sure you are compliant unless the facts are in front of you.
The second is to make it clear that everyone has a responsibility to prepare for the GDPR. I've heard arguments that it's all the job of the Chief Data Officer (CDO), the compliance executive, the finance team, in-house lawyers and even HR to oversee these preparations. The truth is, everybody has a part to play in this process, that's why staff training and awareness is critical.
Ways to do this could include developing internal company guidelines about how to handle data securely, and in line with the necessary procedures. Investment in staff training, on how to use the latest compliance software about categorising data will ensure the workforce is given the right information to enable them to operate with confidence.
The third recommendation is to develop a roadmap for implementation both before and after the deadline. This legislation is too important to be handled on an ad-hoc basis. Once you achieve a solid level of compliance, you also need to maintain it, failure to keep check on your progress and review standards across the organisation could result in serious unforeseen problems further down the line.
The GDPR may strike fear into the hearts of business leaders, but with the right procedures and tools in place, this need not be the case. The biggest threat this legislation poses is to those who either try to ignore it or fail to address its requirements with a comprehensive strategy that combines technology and people.
Adopted correctly, it will dramatically raise the standards of data security and privacy across Europe and beyond. Likewise, it will provide more accountability and responsibility, which are long overdue.
It's time to stop putting off the inevitable, it's time to seize the initiative on this upcoming challenge. The sooner companies start the great GDPR wake-up call, the better.