Life beyond the EU GDPR. What’s next?

Most organisations have already started, but for those who are behind the curve with the EU GDPR, what should they do to become compliant by 25 May?

The key thing to do is to focus on the real high-risk areas and prioritise them. When we work with clients we take a risk-based approach, which identifies where their high-risk processes are and which systems contain the most sensitive information. My advice is to start by putting some basic controls in place. You may have to look post-May on how to do it more effectively, but there are some basic principles that you should put in place right now. Simple steps include securing sensitive information and looking where it’s stored, how it’s handled and who has access to it. It’s still not too late: many companies will be working on remediation post-May.

What are some examples of organisations that are embracing the opportunity?

There are a couple of examples out there, especially in the consumer market. We’ve been working in the automotive sector where some of the more advanced clients are thinking not only how to be compliant with the GDPR, but also considering their whole dealer network and where their business strategy is going. Many car manufacturers are thinking how in the future, they may sell services, autonomous vehicles etc., and they’re going to need to be able to collect a lot more personal information. We’re seeing some clients embrace the regulation, thinking about how to set the strategy so the need for consent or contractual legal obligations is in place to allow them to operate effectively in the future.

Another example is in the life sciences industry. The volume of data, in terms of contracts and business processes associated with personal information they handle, is huge. They hold a huge amount of personal information about clinical trials. So part of the challenge there is to use technology effectively. There’s a growing technology market nowadays that can help organisations map their process inventories, understand what they have to do in terms of privacy impact assessments, and make sure they continue to be compliant when there are changes in those processes or systems. We’re helping clients use some of the leading-edge technology in this area to make sure they’re compliant.

Are you seeing any new trends in terms of organisational governance?

Many organisations are looking at whether they need a data protection officer (DPO). There are some guidelines if you’re processing very sensitive data or if you’re a government organisation then it’s pretty obvious you need a DPO. But many organisations are still debating whether they need to have one in place. If they don’t, then they still need a DPO function which reports into the board. We are also seeing some organisations setting themselves up as a ‘DPO as a service’; I think we’ll see that evolving in the future.

What should every business be thinking about now to ready themselves for a post-GDPR world?

Organisations are working hard ahead of the GDPR deadline.  Many of our clients are asking “Is this like Y2K, and when we get to May it’s done?” It’s clear in the regulation that it intends to be a business-as-usual activity going forwards. That means privacy has really arrived in the organisation – a bit like health and safety. So businesses should be thinking about their operating model, and how they’re going to ensure that they will continue to be compliant with the GDPR once they’ve got to that point.

They should also be thinking about their new business processes surrounding the individual access rights. They can anticipate more enquiries and think about how they’re going to handle and triage those enquiries, how they’re going to get the information required to service them, and how they’re going to meet the regulation which is set out there. So we talk to clients about the operating model, we have a comprehensive operating model plan which can take clients through what they need to be thinking about post-May.