GRC Tuesdays: Modernise Your Business, and Consequently Cover GDPR Part One
Nine months before the European Union (EU) General Data Protection Regulation (GDPR) becomes effective—what a poignant number! What will your company “give birth to” on that day?
I was listening to the ICO commissioner Elisabeth Denham recently and was struck by the “plain good business sense” she was describing while talking about her expectations for GDPR readiness.
So I thought I’d chat about this theme. And just to be clear, this blog in no way infers that the ICO or Elisabeth Denham sanctions what I say below.
How Ready Will You Be?
In May this year, Gartner predicted that by the end of 2018, more than 50% of companies affected by the GDPR will not be in full compliance with its requirements (Gartner Newsroom report).
Now I’m not a legal person and I can’t express a legal opinion or even remotely suggest an interpretation of a supervising authority. But I can put myself in the shoes of a board or management team running a company. As that administrator, this would become one more of the always-changing list of topics and programs that I’d have to manage (balancing objectives, risk, cost, resources, timing). This one is admittedly more challenging than many.
My real intention is to become compliant (GDPR is not optional). But realistically, I probably can’t put everything in place to meet every requirement of GDPR by May next year. So what do I do? There are so many other programs to be managed. I need to be pragmatic.
What Is Your Business Culture?
Before considering implementing change, I should understand what is my starting point. In other words, what is my current company culture? I need to examine the culture as it relates to data privacy specifically for GDPR, but in other areas too that might assist or resist this need for change. After all, meeting GDPR is not managing expectations but is active business change.
“But at the centre of the GDPR is the concept of broader and deeper accountability for an organisation’s handling of personal data, … a demand that organisations understand, and mitigate, the risk that they create for others in exchange for using a person’s data” ICO commissioner Elisabeth Denham
I think if we’re really honest, we can admit there are few organisations that treat personal data consistently in terms of the risk to individual’s data, and putting the rights of data subjects first. Bear in mind GDPR covers employees, customers, suppliers. It’s not just about having a high profile on-line presence.
To quote Elisabeth again, “It’s about seeing the broader responsibility and impact of your work in your organisation on society.”
And with increasing numbers of ‘digital natives’ joining the working community with a seeming comfort of leaving stashes of personal data all over the internet, company culture is even more important to ensure this isn’t a default approach to corporate data privacy.
Is GDPR at Right Angles to Your Business or Aligned?
So how big is this change? How intrusive is it?
As discussed elsewhere by myself and others, the intrusion of the GDPR is significant for any business. And my thinking is that it’s about time.
But there are a few aspects that I believe are important to highlight to help you feel confident in your ability to meet major parts of GDPR. In Part Two of this blog, I’ll cover similar legislation, master data management, access governance, cybersecurity, and the internet of things.
For more information on the new regulations, read our other GDPR blogs.