GDPR has become a buzzword in business circles over the past few months. If somehow you don’t know what it is yet, the GDPR (short for the General Data Protection Regulation (EU) 2016/679) is the new law that will come into force on 25 May 2018 - four weeks and counting – and will regulate how organisations across Europe process personal data.
The current law is the Data Protection Act 1998, but, given the technological growth and advancement since that law was passed, it is not really fit for purpose anymore. Sensibly, we have a new law that is designed, at least in theory, to fit with the modern world.
Whilst GDPR applies across Europe, it is important to note that it will apply in the UK as well despite Brexit (the Government has made that clear), and it will apply to organisations that process data anywhere in the world if, simply put, the data subjects (the people that they process data about) are based in Europe. As a result, it will be applicable much further afield than just in Europe.
The panic over GDPR has mostly been due to the potential fines for breaching it – up to €20m or 4% of global turnover, whichever is higher – and, because of that, a lot of businesses are asking: “I need to be compliant – please sort me out”. Unfortunately, it is not as easy as ticking boxes and being compliant. It is about much more than that.
GDPR compliance will require thinking – something we all don’t do as much as we should these days. GDPR goes to the heart of day-to-day business operations, impacting customers, suppliers, employees and marketing, and in many cases will require a thorough review of the data a business currently holds, why is it there and held in the first place, how it is held, where it is held, and how long it is held for.
Once that has been done, the business will then need to match up the results of that data audit with GDPR requirements, and change its processes to make sure it can comply. That compliance will require ongoing monitoring and maintenance after 25 May as well; this is not a one-off box to tick, but requires a revamp of internal processes to ensure data is protected in the long term.
GDPR - What you need to know?
If you have not done so already, you need to get through that data audit that I have summarised above. Given that the requirements are ongoing, somebody within your business should also understand the basics of GDPR and be able to drive compliance going forward. That person should initially get to grips with the “Guide to the GDPR” published by the Information Commissioner’s Office (the privacy regulator in the UK), as that will give some headline understanding as to the wider commercial actions that need to be considered and put in place. That person should also start educating the leadership team within the business that GDPR compliance is not a simple process, but that it may take time and resources to achieve; my experience is that getting those leaders onside with the compliance process is often half the compliance battle won.
Once you have that basic internal understanding and recognise the scope of what needs to be done, ask for help where you need it. Don’t throw money at consultants (including lawyers) too early in the process, as you will end up paying them to help you understand your own business and how it handles data – that is something you need to do yourselves anyway to achieve compliance in the future.
Only ask for help where you know you need it and you are really stuck, such as with testing the security of your IT systems, understanding how to protect data when developing new products, or drafting legal documents. You know your business best, so don’t pay someone else to teach you about it.