Saturday 19 August 2017

Missing the GDPR deadline of May 2018: And then what?

As May 2018 looms, I’m aware of a growing number of companies that are seeking help with their GDPR compliance obligations. For most of them, it's a huge wake-up call.

Many (me included) have been sent a stream of emails from self-styled “GDPR experts” containing dire warnings of ginormous fines for non-compliance.

Many (me included) have been offered the opportunity to spend money on worthless qualifications from institutions I had never heard of to obtain some certificate of GDPR proficiency, entitling me to become almost as well qualified as the instructors claim to be. The principal “expert” of  an institute that contacted me recently had no idea whether his institute needed to register with the ICO, and had never heard of Nymity before. To the uninitiated, Nymity is a rather well known data protection solution provider.

But enough of these GDPR ambulance chasers.  If nothing else, they've raised awareness of the compliance problem. But how many are actually capable of delivering  compliance solutions that can be embedded within a workplace? Well, that's another matter.

The fundamental flaw in many of the “solutions” that currently appear to be on offer is that they are based on the premise that an appropriately experienced consultant can be embedded within an organisation for a short while in order that they can patch a bit (or a lot) of privacy tech into existing systems, create a library of GDPR-compliance policies and then disappear into the ether, leaving everyone to get on with their jobs, as they always have.

But this approach isn’t going to work.

Proper GDPR compliance requires a fundamental change in the behaviours of everyone in the organisation, coupled with an appreciation of just what is required. I really doubt that many organisations are really up for that.

Here are just two examples.

First, in the area of records management, the GDOR requires organisations to actually know what records containing persona data they have and where they are. This is not a new concept. After all, the ICO has been focusing on the need for effective records management for years. But what s new is the emphasis that the GDPR places on organisations knowing what personal information they have and how it is used.

For many companies I’m familiar with, this simply isn’t going to happen. They don’t have comprehensive Information Asset Registers and they won’t have comprehensive Information Asset Registers. Their IT infrastructure is simply too complex; it is perpetually evolving and new information assets are constantly being created by staff members who do not and will not follow corporate rules.

Second, in the area of experienced and knowledgeable Data Protection Officers, again most of the organisations I’m aware of have no idea how complex data protection law can be and so how best to recruit effectively for the role.  It’s not something anyone can just pick up in their spare time. And it distresses me no end to learn how much some people are being paid for what little technical knowledge they’ve actually acquired.

By next May, many public sector organisations will end up breaking the law by appointing someone with very little actual knowledge of their obligations  – or they will end up breaking the law because they didn’t realise that they had to appoint a DPO in the first place.

But I’m sure this is not just a “British” thing.  My international chums tell me that the level of awareness – or preparedness – is very low beyond Blighty, too.

Is the GDPR a stretch too far?

Right now, I think it is. While it contains standards that many responsible organisations would wish to aim for, I have no idea how many organisations within Europe really will be fully compliant by May 2018.  The larger companies  - and particularly those in the financial services sector - will of course strive every sinew to comply, and will commission scarce consulting resource to help them.  But will all he smaller organisations have the luxury of experienced support? Of course not.

It would be unfortunate if many organisations realised what a huge challenge GDPR compliance is, and simply give up, hoping that resource-poor data protection regulators won't go after them because they'll be too busy responding to complaints from individuals whose fundamental rights have evidently been infringed.

But this is a risk. Should non-compliance with a poorly written and over complex piece of legislation become too widespread through out Europe, and data protection regulators find it an overwhelming challenge to retain sufficient numbers of suitably experienced staff, perhaps some of the brighter EU policymakers will decide that the GDPR was a stretch too far, and that simpler – and yes, lower – standards, should be introduced.