GDPR has been a popular topic throughout 2017 so far, and for a good reason; those who are ill-prepared for the new regulations coming into place in May 2018 could be hit by hefty fines and a PR disaster.
It’s not all doom and gloom
Despite GDPR being a recognisable risk for some, and a change that needs to be noted and dealt with by many, it’s reassuring to know that a lot of companies are putting in place the necessary requirements to deal with GDPR.
Research done by Computing shows that 62% of the IT leaders they surveyed believe their organisations have a better-than-average understanding of the legal requirements of GDPR, with as many as 18 per cent of firms having a very good understanding.
This is great to see, especially when considering some of the more complex elements of GDPR such as the right to be forgotten and the right of erasure. As part of this, organisations will need to be able to find all personal data attached to an individual, which might be duplicated thousands of times across a large organisation (something that might be made difficult by heavy paper processes!).
In some cases, a qualified data protection officer will need to be appointed and of course, any data breaches must be reported within 72 hours, or risks fines of up to four per cent of global turnover or £20m.
What changes are you / will you be making to comply with the European General Data Protection Regulation (GDPR)?
This is where things get interesting. Although a lot of IT leaders and companies have a good understanding of GDPR, the approach to preparedness is a different story.
Almost half (49%) of businesses are reviewing data deletion policies, while 43 per cent are both carrying out a personal data impact assessment and taking steps to limit data processing. While these figures could seem high, it means many more firms are not making changes in these areas.
When you really look at the numbers above, it becomes more noticeable that only 19% of organisations are employing a dedicated data protection officer and maybe worryingly, only 31% are providing additional security measures.
Dealing with GDPR effectively
If there’s one thing not to be forgotten in regards to GDPR, it’s that GDPR is a far more exacting piece of legislation than the patchwork of pre-internet era laws it replaces.
The regulation covers all owners and processors of personal data. If you collect contact details, serve advertising or have a CRM system, you will be affected. If you use cloud services, exchange personal data with your supply chain, or purchase marketing lists, you will be affected. If your web site serves cookies or if you provide multiple services based on one tick-box, you will be affected.
That’s a lot of businesses that will be affected. That’s not to say everyone should panic, but rather everyone should be prepared and put in place the necessary actions to remain compliant with GDPR.
The impact of GDPR also spreads far beyond digital services and across the myriad paper-based records your business holds.
To deal with GDPR effectively, IT leaders and all others involved in data management in a business need to be considering the control measures they can put in place to remain compliant with the upcoming regulations.