Panic (noun): Sudden uncontrollable fear or anxiety, often causing wildly unthinking behaviour – Oxford Dictionary.
With less than a year to go until the EU General Data Protection Regulation (GDPR) comes into full effect, the title of this blog is inspired by a question asked by the Information Commissioner's Office’s (ICO) representative at a recent GDPR industry forum I attended. Having grabbed everyone’s attention, the pressure was eased with the suggestion that when implemented and complied with, the GDPR will build customer trust.
With delegates coming from a range of industries including financial services, energy and the public sector, and expert insights from the ICO, legal firm Brodies LLP and our own GDPR expert Elliot Rose – what were the key messages that jumped out at me?
The GDPR isn’t another Y2K
The palpable unease in the room was in line with what my colleagues and I are seeing when we talk to organisations. That moment when it dawns on them the significant impact of GDPR – and how far behind they are. Based on a survey of UK businesses conducted by Brodies LLP and Ipsos MORI Scotland, we heard that 30% are unaware of GDPR and 45% haven’t started any assessments to determine their readiness. And those respondents who know about GDPR recognise it will have a high or medium impact on their organisation.
Reflecting on the business leaders who have said GDPR is “just another Y2K”, “just scaremongering” or “I won’t even do the minimum”, the firm message sent out by the ICO is that it will be enforcing the regulation.
One person can save you
Imagine this scenario. Files containing highly sensitive and personal data have been accidentally put in an office bin. The cleaner finds them, thinks that the documents are out of place and flags it up the hierarchy – ultimately saving the organisation from data catastrophe. In fact, this really happened. The lesson learned? Every organisation needs to undergo a cultural change and train its staff on their data handling responsibilities. It only takes one person to save you from disaster.
There’s no time like the present
At the forum, the expert panel set out a number of logical and practical steps you can take towards GDPR compliance. The first being to carry out a gap assessment against the GDPR requirements and to create a programme to plug these gaps. They also suggested setting up a dedicated programme team – with no team members having a ‘day job’ that would distract them from their work.
It’s not only the regulator who will ask about GDPR compliance
Looking to the future, attendees were encouraged to consider that soon their customers will start asking organisations about their GDPR capability. In the absence of an ICO certification programme, organisations will need to consider how they will demonstrate their compliance and assure their customers that their personal information is safe.
Otherwise, panic may be inevitable.
The GDPR is a game-changer. Learn how PA is helping clients make the most of this opportunity.