The GDPR cometh...
I’m writing this on a significant date: January 1st 2018. Happy New Year everybody! And, of course, many of us have just enjoyed (survived?) another significant date: December 25th. Now, that’s the thing about Christmas: it’s on December 25th each year. Has been for millennia. EVERYONE knows that. And yet, having let 364 days of the year pass by since the last Christmas Day (365 on a Leap Year!), how many of us are still looking for those last few presents on Christmas Eve? Well, usually me, for one. I’m generally an organised person, but however early I start buying presents, there always seems to be at least one gift that gets procured with only a few hours to spare.
That’s the problem with a deadline that seems a long way away: there’s plenty of time, right? Then the next thing you know it’s on you, and you’re wondering where all those months went.
And we have one such deadline looming in 2018: May 25th. The day the General Data Protection Regulations (GDPR) come into effect across Europe, the UK included. Just like Christmas, we have all had plenty of warning about this: and, also just like Christmas, it could well result in a bit of a last-minute scramble. According to an international poll by data protection specialists Varonis, as of early December 60% of the businesses they surveyed said they were not ready for GDPR.
At the moment I’m working with a small company to help them get GDPR-ready. One of the first things I had to do was reassure them that GDPR is not as scary as it seems – something not helped by the focus on the new, much-increased fines that can be imposed under the new regulations. Yes, data protection is a serious business, and not complying with GDPR is not an option. But as Information Commissioner Elizabeth Denham recently said:
“… we pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR…. Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action. That means being able to show you have been thinking about the essential elements … and who is responsible for what within the business.”
GDPR is about having systems in place to meet the requirements for gathering, storing, processing and disposing of data. If your business has these in place but a mistake still happens and the regulations are breached, your encounter with the regulator will be a lot more constructive than if you have ignored the GDPR and have no evidence that you have tried to comply.
The real first step in meeting GDPR is not being scared of it. The second step is circling May 25th on your calendar and making sure you don’t let it sneak up on you!