The world is awash with comments about the GDPR…and almost every single one of them focuses on the negative. In this paper, we will look at what the GDPR is, together with how it is likely to be interpreted when it comes into effect in 2018. we’ll try to avoid jargon or at least explain that jargon when its use is unavoidable. We’ll also outline the salient points, the challenges, and the solutions.
The coverage has been negative
Report after report emphasises the downside of the GDPR: huge penalties, shaming by the media and the implicit upheaval in changing the face of how we collect and use personal data. To a certain extent this is understandable: the maximum fines are very large indeed; organizations that are prosecuted are likely to be exposed in public, causing damage to their reputations, creating trust issues, private legal suits and even restricting their ability to trade; and many will need to make substantial changes to processes and working practices.
Certainly, to be compliant with the GDPR there will need to be stricter data security, more granular personal data privacy handling obligations, and very likely more investigations and audits. But rather than fearing and loathing the GDPR it might be wiser to embrace it.
The advent of the GDPR heralds a major change in data management and personally identifiable information but it’s a change that has been coming for a long time. For too long and too often organizations have not been held accountable for the data under their control when the sensitive materials they hold merit more care and attention.
This attitude has enabled organizations to take advantage of the lack of independent oversight which in turn leads to data handling practices and strategies that are inconsistent with the basic concepts of data protection. And this can leave individuals open to scams and abuses of their privacy.
But there’s reason to be positive
Through the lens of embracing change, the GDPR can be seen as an inflection point that provides an opportunity to make big improvements to data collection, stewardship and sharing. If we make those improvements then we will not only comply with the new rules and minimize our chances of exposure but also keep customers happy, improve our brands and build a platform for business analysis based on accurate, concise, and coherent information assets.
But there’s reason to be positive At Eximious Consultancy, we will recommend that you tackle the GDPR head-on, conducting an audit of data under your control and taking this chance to finally get to that elusive quarry of a “single version of the truth.” We’ll recommend that you ask tough questions of your current vendors/data processors too so that you are fully prepared and cognisant of all relevant risks. We will also point to relevant codes of conduct and approaches as a way to frame and develop your own strategy for GDPR compliance.
JUST HOW BIG IS GDPR? Some people compare the impact of the GDPR on IT and businesses with the Y2K bug in that it marks a hard stop and demands fast remedial action. But perhaps a more valid point of comparison is the Sarbanes-Oxley Act of 2002. Introduced in the wake of various corporate governance scandals, SOX introduced strict rules on business management, auditing, reporting and accounting transparency.
At first it was met with dismay as “more red tape” but many business leaders later considered the journey to compliance as being very good for management and understanding assets and processes that had become fragmented and knotty. And just as with the GDPR, SOX demanded that IT play a key part in unravelling those knots and creating workable new processes.
We won’t pretend to have all of the answers. The GDPR is subject to interpretation and change and it will be incumbent on all of us to pay close attention before and after it comes into effect.
WHAT IS IT?
The GDPR is an attempt to harmonise rules and boost data protection and security for European Union citizens.
WHEN DOES THE GDPR COME INTO EFFECT?
It is enforceable from 25th May 2018 and countries affected don’t need to pass any domestic legislation beforehand.
SO IT ONLY APPLIES TO EUROPE?
No. it also affects the export of data outside the EU and of course it affects any organization that deals with EU citizen data — a vast number of organizations that trade or interact with Europe.
WHY SHOULD I CARE?
Because experts believe the GDPR will have a huge impact on how data is collected, processed, used and shared.
The penalties surrounding compliance with the GDPR are very big and they constitute a big part of the reason that the GDPR has garnered so much attention. The GDPR provides for fines of up to four percent of trailing annual gross revenue; for a $1 billion turnover firm, that would equate to a maximum penalty of $40 million. The threat of such large fines means that companies won’t easily be able to set aside funds in the event they are found to be in compliant. Nobody can say with confidence that these hefty fines will be applied to anything approaching their fullest extent (and some regulators are providing guidance that smaller fines will be levied except in exceptional circumstances) but nobody wants to find out the hard way.