Achieving General Data Protection Legislation or GDPR compliance has provided a new setup for the old punchline, “…Well, I wouldn’t start from here“. Most companies could probably think of a million things they would prefer to spend cash on other than compliance with GDPR. The European Commission have guessed as much, and have made the penalties eye-wateringly expensive to catch senior management attention. Fines max out at 4% of global turnover of the parent company for the most egregious breaches, but there are plenty of serious fines before you get to this point.
The EU paint the provisions of GDPR as strengthening existing data protection legislation with a few additions. From reading the new compliance requirements, they are seeking to translate current best practice into a minimum legal standard, with some hefty extra requirements thrown in for good measure.
For example, as of 25th May 2018:
- You may need to have appointed a Data Protection Officer (DPO);
- Breach reporting becomes more onerous;
- Your obligations may extend beyond your own organisation into your partners;
- Data subjects will have the right to be forgotten;
- All business processes and IT changes you make will require an auditable data protection design phase.
This raises the bar considerably for process designers, compliance staff, data owners and controllers, and for the IT team in every organisation, but most importantly, it makes data policy a boardroom issue.
At Pathfinder, we know that the people who can best implement the changes required by GDPR are those closest to the customer, but because it is quite a technical topic, it’s not always easy to explain what new behaviours are required. What’s more, it’s not possible to prescribe actions for every scenario. You need your staff to behave in a way that reflects the ethos and values of the GDPR by instinct, and this means GDPR-awareness must become part of your selection, training, design, appraisal, and reward systems. (Whisper it… we are talking about culture change!).
In short, GDPR is a beast of a piece of legislation, but the principles espoused are thematically consistent with all legislation that precedes it. If you have always been sharp on your data compliance, then you will have an advantage in remaining compliant once GDPR comes into force. If, however, you have not given data compliance and security the focus it deserves up to now, be aware!
If you do want to get to your destination and need some help getting there, from anywhere, Pathfinder has created a quick guide to GDPR which we can share with you by contacting firstname.lastname@example.org.
Pathfinder and the MBA Association of Ireland are running a GDPR event on Wednesday 11th October. To register click here.