Ah, good old GDPR. Who would've thought that four little innocent-looking letters would be able to put the fear of God into businesses across the country?
The new EU-wide regulations on data protection and privacy are now just a few months away from implementation, with a 'Deadline Day' of 25th May 2018 looming. Businesses large and small face a significant challenge to ensure that the new rules and best practices are being adhered to, with the prospect of hefty fines (up to €20m or 4% of worldwide turnover, whichever is greater - gulp) for thouse who are caught out.
Don't worry, though - it's not all doom and gloom. Thankfully, help is at hand in the form of Peak's unique data-driven GDPR Processing Inventory compliance solution. There'll be more on that in an upcoming blog post, but first we need to set the scene and get you up to speed on all things GDPR. We've invited an industry expert on data protection, Julian Parkin, to Peak HQ to give us the low-down on what GDPR is and what it's going to mean to businesses.
Julian is co-founder of Parkin Avacade, a consulting firm which specialises in delivering the full life cycle of privacy and GDPR change programmes across organisations (in other words, he knows his stuff.) So, without further ado, it's over to you, Julian...
GDPR: What's it all about?
Let’s kick off with the basics - it stands for General Data Protection Regulation. In terms of differences to the outgoing Data Protection Act (DPA), the principles are similar in that they are both underpinned by an important EU philosophy - the individual retains rights over their data and lends their data to organisations.
GDPR acknowledges the shift in the power of modern organisations and how they can integrate different datasets to develop, what can be, a very detailed picture of an individual. These profiles can be rich, so GDPR seeks to ensure that companies understand, explain and appropriately handle data in a way that re-balances the customer relationship. It's expected, and hoped, that the increased fines for non-compliance will drive far better behaviours and practices within companies.
However, it's no walk in the park
Implementing GDPR best practices is going to be challenging for many businesses. The number of legacy systems and complexity within existing processes and applications makes this very difficult. More often than not, we're going to be seeing a complete overhaul of the risk and control framework of companies.
The focus is now on companies themselves to be proactive, define their data journey and provide evidence and management reporting to support the effective operation of their practices. It's going to be a big shift now that companies need to proactively demonstrate that they understand their privacy risk and measure and monitor their risk performance.
Am I too late?
The deadline isn't far away, and if you're only just starting out make no mistake that there's a lot of work to be done. The requirements are the same for everyone, remember, so it's better to get going sooner rather than later. Ensure you can modulate your activity to make significant progress across key areas of concern in your company.
Don't bury your head in the sand
Realistically, you're unlikely to be hit by a sanction on the day of the 25th May - based on my experience, I'm expecting regulation to gradually take effect. That said, companies need to take stock of their position on Deadline Day and define an ongoing plan to continually invest in their privacy capabilities in a world where the bar is always rising.
A key thing to remember is that it's about “when” something will go wrong, not “if.” Systems need to be constantly evaluated for potential failures and businesses should have a plan of action at the ready to manage an incident. In the past, regulators have used their new fining powers to punish egregious breaches - but, if companies can demonstrate that they are implementing appropriate technical and organisational controls, then their efforts will be taken into account when enforcement activity is evaluated.
What about long-term impacts?
This is a real sea change moment for the treatment of data across the whole of the EU. And - before you ask - GDPR will be adopted into UK law after Brexit, too. In the long run, you can expect larger companies to be employing full-time Data Privacy Officers to ensure that their business becomes (and, crucially, remains) compliant.
What's exciting for me about Peak's own GDPR compliance platform is its ability to provide both discovery capabilities together with live monitoring within a business-as-usual environment of system and data changes. Peak's AI-driven tool will undoubtedly be used to drive down costs in the discovery phase, and will be critical to continued compliance.
A big thank you to Julian from the Peak team for sharing his thoughts and insights for this blog post. If you have a question about GDPR and the impact it could have on your business, please do get in touch with Peak's in-house data experts to find out how we can help. You can contact us here.