This is not a box-ticking exercise, but a matter of cultural shift for many firms
There is a vast amount of “GDPR fatigue” spreading on social media, as the result of the incredible quantity of snake oil being dispensed on the matter. Unsurprisingly, every tech vendor has a magic solution that would make you compliant and countless “experts” have appeared out of nowhere.
At the receiving end of all this, many decision makers have started to compare the level of hype with the Y2K phenomenon: “All this is just a storm in a teacup, blown out of proportion by consultants and in the end, nothing serious will really happen”, is something we hear more and more …
It is in fact a simplistic parallel and GDPR is different from Y2K at least in three aspects:
- Something real and tangible is going to happen overnight on 25th May 2018: The role of domestic privacy regulators will acquire a new dimension and with it, your potential liability towards data breaches will increase dramatically. Given the amounts involved, this is not something executive management can ignore, even if there is no way of predicting the actual level at which the first fines will be set.
- The data protection regulators have been asking for more powers for the best part of the last decade, so it is likely they will seek to exercise those: It is hard to predict how they will “pick their battles” and when they will start, and it may vary country by country, but it is unlikely that there will be any “grace period” (as firms have already been given two years to comply). Somebody somewhere is going to be first in feeling the new force of the law
- The GDPR is open to interpretation in many areas, so it is likely the regulators decisions will be challenged if they get heavy-handed, but nobody has any interest in becoming a “test case”: This is not just the usual consultant’s scaremongering. It is common sense, in particular if your brand is a highly visible and key asset. Society at large has become more and more sensitive to privacy matters and the GDPR fits deeply within that trend. It has to be expected that the first cases, in particular if the breach is significant and the fine is large, will received a vast amount of media exposure, and that the resulting negative publicity could be damaging.
The key for now is not to panic and to focus on real preparation. Data privacy legislations have been around for the best part of the last 20 years, so your organisation would have been exposed to those in some way.
You need to analyse your current level of maturity around those matters and build a GDPR alignment roadmap that matches your own priorities and your own resources, looking towards the 25th May 2018 and beyond as necessary: There are things you will be able to do by then and things that will take you more time. This is not a box-ticking exercise, but a matter of cultural shift for many firms, and there is no magic product or magic checklist that is going to make you GDPR compliant in 6 months.
You need to ensure that internal sponsorship is at a level high enough to be audible across silos (legal, technical, operational) and across the firm (business units, geographies, key external partners), and you need to make sure you put in place a governance structure that will track alignment progress efficiently and effectively.
Evidence of strong management backing and a genuine trackable long-term approach towards putting in place the “privacy by design” principles should always play in your favour with regulators, irrespective of the actual compliance challenges you may be facing.