As May 2018 looms, I’m aware of a growing
number of companies that are seeking help with their GDPR compliance
obligations. For most of them, it's a huge wake-up call.
Many (me included) have been sent a stream
of emails from self-styled “GDPR experts” containing dire warnings of ginormous
fines for non-compliance.
Many (me included) have been offered the
opportunity to spend money on worthless qualifications from institutions I had
never heard of to obtain some certificate of GDPR proficiency, entitling me to
become almost as well qualified as the instructors claim to be. The principal
“expert” of an institute that contacted
me recently had no idea whether his institute needed to register with the ICO,
and had never heard of Nymity before. To the uninitiated, Nymity is a rather
well known data protection solution provider.
But enough of these GDPR ambulance
chasers. If nothing else, they've raised
awareness of the compliance problem. But how many are actually capable of
delivering compliance solutions that can
be embedded within a workplace? Well, that's another matter.
The fundamental flaw in many of the “solutions”
that currently appear to be on offer is that they are based on the premise that
an appropriately experienced consultant can be embedded within an organisation
for a short while in order that they can patch a bit (or a lot) of privacy tech
into existing systems, create a library of GDPR-compliance policies and then
disappear into the ether, leaving everyone to get on with their jobs, as they
always have.
But this approach isn’t going to work.
Proper GDPR compliance requires a
fundamental change in the behaviours of everyone in the organisation, coupled
with an appreciation of just what is required. I really doubt that many
organisations are really up for that.
Here are just two examples.
First, in the area of records management,
the GDOR requires organisations to actually know what records containing
persona data they have and where they are. This is not a new concept. After
all, the ICO has been focusing on the need for effective records management for
years. But what s new is the emphasis that the GDPR places on organisations
knowing what personal information they have and how it is used.
For many companies I’m familiar with, this
simply isn’t going to happen. They don’t have comprehensive Information Asset
Registers and they won’t have comprehensive Information Asset Registers. Their
IT infrastructure is simply too complex; it is perpetually evolving and new
information assets are constantly being created by staff members who do not and
will not follow corporate rules.
Second, in the area of experienced and
knowledgeable Data Protection Officers, again most of the organisations I’m
aware of have no idea how complex data protection law can be and so how best to
recruit effectively for the role. It’s
not something anyone can just pick up in their spare time. And it distresses me
no end to learn how much some people are being paid for what little technical
knowledge they’ve actually acquired.
By next May, many public sector
organisations will end up breaking the law by appointing someone with very
little actual knowledge of their obligations
– or they will end up breaking the law because they didn’t realise that
they had to appoint a DPO in the first place.
But I’m sure this is not just a “British”
thing. My international chums tell me
that the level of awareness – or preparedness – is very low beyond Blighty,
too.
Is the GDPR a stretch too far?
Right now, I think it is. While it contains
standards that many responsible organisations would wish to aim for, I have no
idea how many organisations within Europe really will be fully compliant by May
2018. The larger companies - and particularly those in the financial
services sector - will of course strive every sinew to comply, and will
commission scarce consulting resource to help them. But will all he smaller organisations have
the luxury of experienced support? Of course not.
It would be unfortunate if many
organisations realised what a huge challenge GDPR compliance is, and simply
give up, hoping that resource-poor data protection regulators won't go after
them because they'll be too busy responding to complaints from individuals
whose fundamental rights have evidently been infringed.
But this is a risk. Should non-compliance
with a poorly written and over complex piece of legislation become too
widespread through out Europe, and data protection regulators find it an
overwhelming challenge to retain sufficient numbers of suitably experienced
staff, perhaps some of the brighter EU policymakers will decide that the GDPR
was a stretch too far, and that simpler – and yes, lower – standards, should be
introduced.
Posts
