GDPR: don’t wait, act now
First of all, if you haven’t already, have a look at our extensive coverage of the topic of the General Data Protection Regulation (GDPR). There is a lot of good information there that should help guide you and your organisation, irrespective of size.
Secondly, a piece of advice that was given by a speaker at one of our TechFire events on the topic resonated with me at the time, but only in the subsequent months have I understood how prescient it was.
The GDPR deadline is 25 May 2018. If an organisation begins on 1 January, and they will not because it is a bank holiday, there are 144 days or 4 months and 24 days. That is just less than five months in which to implement the most far reaching data protection regulations in a generation
Tom Hulton, the chair of the ADPO, and An Post’s corporate compliance manager said in response to a question from the floor that in order to understand the magnitude of the task of GDPR compliance you first had to understand how much and which kinds of data you have.
That might sound simple, but the context was that the question was framed from the point of view of starting the compliance efforts in January.
The GDPR deadline is 25 May 2018. If an organisation begins on 1 January, and they will not because it is a bank holiday, there are 144 days or 4 months and 24 days.
That is just less than five months in which to implement the most far reaching data protection regulations in a generation.
Hulton said that until you have done the data discovery aspect of the preparations, until you have examined your data to know what it is, where it came from, how it was collected, for what purpose and when, you don’t know how much you have to do to become compliant.
The reason I am labouring this is that I have had multiple conversations with people since that event in September where I have been asked ‘what do I need to do to get compliant?’
And I have to start with Hulton’s words.
I fear that many organisations are going to roll up collective sleeves on 2 January, with 143 days to go, many of them weekends, and find that their task will take distinctly longer than 4 months and 23 days.
Some recent figures from IBEC sound encouraging but still reveal a high level of inaction.
A survey with A&L Goodbody found that:
- 47% have assessed the data protection risks to the organisation
- 46% have appointed a GDPR implementation team
- 44% have compiled an inventory of all personal data held by the organisation
- 42% have appointed a Data Protection Officer
- 29% have held staff training workshops on GDPR
- 21% have assigned a GDPR implementation budget
Don not let that last one pass you by—21% have allocated a GDPR implementation budget, which means 79%, more than three quarters, have not.
Now you might argue that many larger organisations in particular, who are used to heavy regulatory regimes, may be funding GDPR compliance out of ordinary regulatory matter budgets. And that’s fair enough, but, there are many organisations who do not operate in such regulatory regimes and I would bet a lot of them have allocated no budget.
Taking some of the other figures, all are below that magic 50% mark! This is despite 87% saying that GDPR is a “significant issue” and 61% having taken some steps toward compliance.
“While the results of today’s report highlight many positive actions currently being undertaken by Irish business,” said Erik O’Donovan, head of Digital Economy Policy, IBEC, “it also reveals that just under 40% of companies surveyed have not yet begun a programme to ensure compliance by May 2018. It is imperative that this is amended…”
I’ve deliberately cut that there because anyone who knows anything about GDPR knows what O’Donovan cites next, and rightly so—fines.
But the warning of fines does not seem to be working for that more than a third of organisations who have not begun compliance efforts.
Perhaps it should be adjusted to a different implication of non-compliance—it will stop your organisation from processing personal data.
Think of it, how would it be if you were not only heavily fined, but barred from processing the personal data of EU citizens, would you still be able to do business?
Today is 1 December—the actual start of the Christmas season. Do not wait until the 1 January, make a resolution now. If you have not begun the data discovery phase of your GDPR compliance efforts, stop everything and do it now. Only then will you know how much work you have to do and what resources—including time—you will need to do it.
The consequences of not doing it, could be devastating.