With just months to go until the clock on GDPR’s much-hyped ticking time-bomb finally reaches zero, can those that have taken action be sure they’re completely covered? And what will the blast site look like for those that aren’t?

T minus 10, 9, 8, 7… With May’s deadline for GDPR compliance approaching fast, firms that haven’t already taken appropriate steps have no choice but to start doing so in short order.

And yet given the tech industry’s stubborn predilection for scaremongering and FUD* peddling over the years (Millennium Bug anyone?!), one might be forgiven a degree of cynicism when it comes to GDPR. It sounds so benign, right? There are even those who think it may yet turn out to be a damp squib.

The question is, with the regulations becoming enforceable by law on 25th May, can enterprises take the risk? How blasé and cynical can they afford to be?

Not very, as it turns out.

And with recent research highlighting that a surprising proportion remain largely unprepared (or

at least under prepared) for the transition, it’s quickly becoming a real concern. Particularly given the fines of up to €20m (or four per cent of annual turnover, whichever is higher) that could result from non-compliance.

One study asked what businesses saw as the trickiest aspects of GDPR with which to comply, for instance. The biggest concern (cited by around half the participants) was the right of erasure (aka the infamous ‘right to be forgotten’). But one in four firms reported not currently being particularly or at all confident in their ability to comply.

This alone suggests that data practices still aren’t what they ought or need to be. That there are data supply chain concerns. And that enterprises still don’t have the grasp on their data processes and locations that they want, and are most definitely going to need, come the summertime.

There also appears to be a level of misapprehension about the regulations’ breadth and scope, with less than a third citing the GDPR’s 72-hour breach notification rule (the window within which the authorities must be informed of any data breach) as a major challenge, for example.

Plainly then, there are still elements of the legislation of which enterprises aren’t fully abreast. Such as, commonly?

First, the exact – and exacting – wording of data breach notification requirements, which means that something as seemingly trivial as the loss of an unencrypted USB stick has to be reported.

Also, the fact that GDPR will impact the utilisation of non-EU cloud services. (The merest use of which could potentially put an organisation in breach.) Do your teams habitually retain customer information – particularly personal customer information – on ‘local’ cloud storage? Are you sure? Not even Dropbox or OneDrive?

Another related misconception is that the GDPR’s remit is limited to the EU itself.

It isn’t. Indeed, it has a nothing less than global reach; applying not only to EU organisations, but to any business processing the personal data of EU citizens.

Okay, how about Brexit? That’s sure to make a difference, isn’t it? Nope. None whatsoever. Regardless of the political stance of your organisation. Not if it’s still doing business in the EU or even just with EU citizens. Besides which, the UK will almost certainly still be an EU member at the end of May (no pun intended).

Allied with the fact that the government is likely to either retain GDPR or implement something broadly similar in any event, the whole argument becomes moot anyhow.

All in all then, those that aren’t yet fully prepared need to get that way. Rapidly. Because while understanding the requirements is one thing, translating that understanding into living, breathing

compliance will be something else entirely. Moreover, the larger the organisation, the more complex the process will be.

Accordingly, if you haven’t yet done so:

Conduct a data audit at once. What data has been collected? Where it is being stored? Who has access to it? Why was it collected? How is it being used?

Examine your privacy policies to ensure they’re in line with GDPR’s more stringent transparency and accessibility criteria.

Appoint a Data Protection Officer and/or team. Suitable expertise focusing exclusively on data protection isn’t a GDPR prerequisite, but it’s invaluable for compliance and also in improving data management and governance overall.

Educate. Everybody. Internally and externally. Every person in the organisation needs to understand the importance of GDPR. Those outside it, i.e. your customers, need to see that your business is treating the issue with due gravity. Such a move will also very likely have hidden benefits.

Those embracing and displaying transparent, trustworthy practices – and being seen to do so – will ultimately be the winners in the consumer-centric democracy now emerging.

Complying with GDPR will be a big ask, but it will also afford a unique opportunity to develop the kind of new working practices that will be essential as we move further into the customer age.

GDPR really does have teeth. And it will use them. But those enterprises that can turn this to their advantage will discover that it gives them extra bite too.

*FUD, in case you were wondering, stands for Fear, Uncertainty and Doubt.

And so will GDPR for those who don’t act soon.

Insight articleia

"Those embracing and displaying transparent, trustworthy practices – and being seen to do so – will ultimately be the winners in the

consumer-centric democracy now emerging."

Countdown to disruption?