A huge percentage of the organisations I’ve
recently come into contact with have little chance of becoming “GDPR compliant”
by May 2018.
To be fair, a good proportion of these
organisations have spent the past decade or so ignoring the professional advice
that's available on how to better comply with the requirements of the existing data protection legislation.
The task, which is (a) to understand just
what is required of them by the GDPR; and (b) to implement the necessary
measures, is simply overwhelming.
Organisations with little or no concept of
records management, and with little or no concept of how long they need to keep
information for in order that they can met their own business requirements,
will find “compliance” a particularly difficult challenge.
Some organisations appear to think that
self-proclaimed (and yes, sometimes self-certified) GDPR “experts” will,
for a not inconsiderable fee, apply their special brand of privacy witchcraft and, with
a fistful of pre-prepared policies and procedures, sprinkle compliance stardust
into areas that other policies daren’t venture.
Some organisations appear to think that all
that's required is a quick visit from "experts" who will offer an outsiders’
view of issues they know nothing about, and that said "experts" will do
their stuff (and map those damn data flows) without
anyone else ever needing to change the way they work.
No.
The problem with data protection compliance
is that a successful compliance programme requires people at every level of an
organisation to comply.
Well, that’s too simplistic.
The real problem with data protection
compliance is that a successful compliance programme requires people at every
level of an organisation to appreciate what risk the organisation is running,
as a result of its information management procedures, and to appreciate whether
particular risks are within the organisation’s risk appetite.
So, the first step is for an organisation
to define its risk profile. Then it can take a decision on the extent to which it
will address data protection (and, more specifically, the GDPR’s requirements.
Then, and only then, can it embark on a change programme to implement the
relevant improvements.
Can most companies manage this by May 2018?
Or can they evidence that they can meet their accountability obligations?
Especially when there’s so much scope for
interpreting the GDPR in different ways?
I’m not optimistic.
I’m certain that many companies are trying
hard, though. And I know that many other companies would like to comply, but
they simply can’t obtain the professional support that's necessary to convert
the language of the GDPR into terms that most people can readily grasp.
My sympathies are also with regulators who
are put in a pretty dreadful position by the text of the GDPR. First, they have to decipher
certain GDPR requirements and put their own spin on the meaning. Then, they
need to contemplate taking enforcement action against organisations who disregard said
spin.
Also, being in the position of (theoretically)
being able to take significant enforcement action against virtually every data controller in the land for some GDPR transgression or other will present challenges as the more enlightened data protection regulators strive to foster a close and
constructive working relationship with these data controllers.
Perhaps we need a further 2 year transition
period so that the Data Protection Board can get its act together and issue
clearer advice with regard to the new requirements (i.e. those that weren’t
already enshrined in domestic data protection law), before national data
protection regulators take it on themselves to contemplate enforcement action against organisations that breach
the new requirements.