2017 will be the year of GDPR preparation

What is the GDPR?

More accurately it is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).  

GDPR and Brexit

Some news for those in the UK.  The GDPR is probably not going away because of Brexit.  The UK is already committed to implement it by 25th May 2018 when the country will still be in the EU.  Even if the UK Government subsequently waters it down or implements it’s own version, it will still apply to any data held about EU citizens.

Governance & Accountability

The main two drivers of the legislation are to increase citizen’s rights concerning the data held about them, and to increase the accountability of the organisations and their management in taking those responsibilities seriously.  This will require you to have better governance of data, privacy issues and cyber security.

In many cases you will need new policies & procedures and it is likely that new roles & responsibilities will need to be created.  More than anything a new mind-set is needed amongst non-technical leadership to both demand the right things from their IT providers, and to pay for them.  Not that it’s exclusively an “IT problem”.  The whole organisation will need to readjust how it looks upon data about individuals.

You need to start your GDPR preparations in 2017

Thinking prudently, once the regulation is active you should assume that;

 All of this means that, even though some of the details are yet to be decided, you need to start work now.  This is because these are not trivial changes.  This is of the order of magnitude of a Y2K.  It means looking at all of your systems that hold affected data and working out how the regulation impacts it – and then implement the changes and get them live. It means putting someone in charge of the programme and giving them a budget. It means understanding where you are now and where you need to get to in good time for May 25th 2018.  

Three GDPR suggestions to do right now

  1. Read about the GDPR (here is a good starter for ten on the ICO web site) but also discuss it with your legal advisors.  Review your existing DPA processes and understand how much more you will need to do.
  2. Because it’s a long process (and getting harder), start improving your cyber security by taking a cyber security risk assessment – you must reduce the risk of personal data breeches well before 25/5/2018!
  3. Discuss the possible impact of GDPR at management meeting(s) and assign someone the responsibility of pulling together a cross-functional action plan covering IT, HR, Marketing and “the business”.  Get some expert help in if you need support.