GDPR – Are we nearly there yet?
I am sat writing this piece in the spare couple of hours I have on the train to London. There’s a family sat opposite with two young children and one of them keeps asking “are we nearly there yet?”
I’ve been talking across market sectors on the subject of GDPR and speaking at seminars on a regular basis over the last 12 months, and this has got me thinking about that long journey and the fact is, we are nearly there!
I was asked recently at a GDPR event in London what would my one piece of advice be? As the GDPR deadline is almost upon us, this has given me cause for some reflection on that question and a little introspection.
Around this time last year GDPR was something most technology vendors were talking fervently about; pitching their products with almost mythical capability to help you achieve GDPR compliance. Some were even guaranteeing compliance with use of their products, however, I suspect the legal department strongly advised them to drop this tack. It gave others the opportunity to revitalise some almost forgotten products that had sat on the shelf, but at that moment in time, it seemed pretty much everyone in the industry was talking GDPR. I think from a customer’s perspective all this hype didn’t help and often led to more confusion about what to do. This consolidated my view that our strategy for helping customers has always been around the things that we’re good at and that is securing and managing the data. That should be our focus on GDPR.
Customers, however, weren’t quite so exuberant on the subject. Early last spring there was some interest but most customers seemed concerned with more short terms issues like today's problems and the ones that were likely to happen next week and next month. For most it was something they had to consider, but not yet. With one telling me “you’re not going to mention GDPR are you ‘cause I’m sick of people coming in and talking about it”. I also think some were hanging their hat on Brexit, hoping it would mean the UK would be exempt.
Fast forward a few months to late summer and their mild indifference had now turned to concern. I was taking phone calls saying "I’ve been told to sort out this GDPR thing, what do I need to do?". My first piece of advice was to get yourself up to speed on the legislation then start planning what you need to do. We can help you with some of the aspects around managing and securing your data, but we can’t do it all for you.
And herein lies one of the biggest challenges; GDPR implications on a business are so vast and overwhelming that it instills a sense of sheer dread and panic. How many subject access requests will we get and how will manage them? What is our policy on the right to be forgotten? How can we prove we’re compliant? Where do we actually start? This leads me back to my one piece of advice. A whole organisation has to buy in and work towards GDPR compliance as it affects the whole business. Everyone is individually responsible for themselves and collectively, as part of the business, in achieving compliance.
At the same GDPR event, I asked a room of delegates for a show of hands , who will be compliant by the May deadline. Out of a room of 50 only 3 hands went up. When I asked who’s well down the road to being compliant about half the room put their hands up. This straw poll shocked me a little, it’s not too dissimilar to the kind of response I was getting 6-8 months ago when I asked the same question.
So what are my thoughts now? Well, speaking as a private individual, I think we all want organisations to be responsible with our personal data, but as recent headlines show, this is not always the case. So as the deadline approaches it looks to me like very few organisations will be compliant on day one and what will happen then? As we all know, the penalties can be harsh, and if my admittedly unscientific straw poll is anything to go by, there’ll be tears before bedtime.