Sunday 10 September 2017

The case for delaying the date the GDPR applies for a couple more years

A huge percentage of the organisations I’ve recently come into contact with have little chance of becoming “GDPR compliant” by May 2018.

To be fair, a good proportion of these organisations have spent the past decade or so ignoring the professional advice that's available on how to better comply with the requirements of the existing data protection legislation.

The task, which is (a) to understand just what is required of them by the GDPR; and (b) to implement the necessary measures, is simply overwhelming. 

Organisations with little or no concept of records management, and with little or no concept of how long they need to keep information for in order that they can met their own business requirements, will find “compliance” a particularly difficult challenge.

Some organisations appear to think that self-proclaimed (and yes, sometimes self-certified) GDPR “experts” will, for a not inconsiderable fee, apply their special brand of privacy witchcraft and, with a fistful of pre-prepared policies and procedures, sprinkle compliance stardust into areas that other policies daren’t venture.

Some organisations appear to think that all that's required is a quick visit from "experts" who will offer an outsiders’ view of issues they know nothing about, and that said "experts" will do their stuff  (and map those damn data flows) without anyone else ever needing to change the way they work.

No.

The problem with data protection compliance is that a successful compliance programme requires people at every level of an organisation to comply.

Well, that’s too simplistic.

The real problem with data protection compliance is that a successful compliance programme requires people at every level of an organisation to appreciate what risk the organisation is running, as a result of its information management procedures, and to appreciate whether particular risks are within the organisation’s risk appetite.

So, the first step is for an organisation to define its risk profile. Then it can take a decision on the extent to which it will address data protection (and, more specifically, the GDPR’s requirements. Then, and only then, can it embark on a change programme to implement the relevant improvements.

Can most companies manage this by May 2018? Or can they evidence that they can meet their accountability obligations?

Especially when there’s so much scope for interpreting the GDPR in different ways?

I’m not optimistic.

I’m certain that many companies are trying hard, though. And I know that many other companies would like to comply, but they simply can’t obtain the professional support that's necessary to convert the language of the GDPR into terms that most people can readily grasp.

My sympathies are also with regulators who are put in a pretty dreadful position by the text of the GDPR. First, they have to decipher certain GDPR requirements and put their own spin on the meaning. Then, they need to contemplate taking enforcement action against organisations who disregard said spin.

Also, being in the position of (theoretically) being able to take significant enforcement action against virtually every data controller in the land for some GDPR transgression or other will present challenges as the more enlightened data protection regulators strive to foster a close and constructive working relationship with these data controllers.

Perhaps we need a further 2 year transition period so that the Data Protection Board can get its act together and issue clearer advice with regard to the new requirements (i.e. those that weren’t already enshrined in domestic data protection law), before national data protection regulators take it on themselves to contemplate enforcement action against organisations that breach the new requirements.