From May 25, 2018 the General Data Protection Regulation (GDPR) regulation will apply to all businesses based in the EU.
When discussing its impact with clients, I am frequently struck by the number that clearly feel overwhelmed by the breadth and depth of the topic. This may be in large part due to the fact that they are surrounded by vendors and advisors with strong interests in the most stringent reading of the regulations.
For any organisation that holds personally identifiable information (PII) in Europe, GDPR is a real concern. Empirical evidence suggests that a majority of companies are going to struggle to make the deadline - May 2018 is just around the corner. As with other regulatory changes, businesses will ultimately have to make an assessment of business risk that balances business continuity with the potential downside. It is very likely that many businesses will struggle to meet this deadline, even with the minimum level of compliance.
GDPR has energised service providers across a number of sectors and this is part of what generates a sense of foreboding in any business that holds data on its customers. Companies looking to comply need to weave together legal services, training for staff, assurance and audit, cyber, data governance vendors and, potentially, system integrators. There is also a clear requirement to manage all third party contracts where they touch your PII data.
All this is to be co-ordinated by the newly appointed Data Protection Officer (DPO). It is unlikely that they will be an expert across all of those services. Those DPOs are also likely to be hitting peak of the workload during the final quarter of 2017.
An important question then is: How do we give the DPO a manageable brief? One that balances meeting the deadline with a managed return on the investment. Here are a few “tips” for the newly appointed DPO in your firm:
1. Frame the challenge as a business win.
For all of the hype, GDPR is asking companies to use data with the care and consideration that we would almost certainly like (and often presume) as a consumer.
2. Understand the minimum required to be compliant.
Ask your service providers to clearly define minimum requirements to achieve compliance compared to the solution being presented. You may well wish to go further than the minimum, but it should be an explicit choice. One of the characteristics that we see in this market is the re-branding of existing products as GDPR solutions. This is particularly prevalent amongst data management tools. So, check that you are not being sold an old product in a new box that far exceeds your minimum GDPR requirements .
3. Use common sense.
Recognise that there are grey areas. For example we are not aware of off-the-shelf solutions that deal effectively with audio and video data management. Everyone who has that type of data will be in the same, ambiguous position. The important thing will be to have a considered position.
4. Do not hold external providers to higher standards than your own IT function.
We often see a lot of unnecessary delay and exasperation where a client’s legal function faces off directly to a cloud provider. The first issue is a learning curve (‘what do you mean that you don’t keep all my data in one location?’) The second is that the cloud provider will have an engineering led approach to how they operate. That requires an approach focused on acceptable business rather than absolutely no risk.
In summary businesses should look at GDPR as an opportunity. A major impediment most businesses face in implementing data analytics strategies is actually knowing what data they actually hold, what it is used for and what it could be used for. By forcing your business to better understand your data, GDPR could be the catalyst of future opportunities and growth for your company.