By Tom Murray, Head of Product Strategy, Exaxe.
In fact, it was introduced in May 2016, but two years were given for companies to comply. This ‘lead in’ time is about to run out, which gives the media the opportunity for a surge in scare stories.
Scare stories are tempting for the mass media. The threat of impending apocalypse (or a €20 million fine) makes it so much easier to lure in readers to an extremely important, but essentially boring, piece of regulation and make it interesting. As a result, there has been a high level of panic stories in newspapers, periodicals and on TV and radio over the last month as journalists leap on the bandwagon.
The problem with scare stories is that in emphasising the worst-case scenarios, they omit much of the more mundane but important issues that arise from the regulation. It gets across the point that something needs to be done, but the scale of the changes and the threats of huge fines for non-compliance can be frightening and end up leading to bad and/or expensive decisions.
In many ways, the GDPR panic brings back memories of the Y2K panic that gripped most of the world in the lead-up to the millennium. The massive amounts of money poured into resolving the Y2K problem without anyone having a clear definition of the scale of the problem to be solved was immense. In the end, very few issues arose when the clocks struck midnight on 31st December, 1999. This is held by some to be the justifications for the estimated 300 billion US dollars that was spent on preparing systems world-wide for the event. It worked. Others feel that the evidence from South Korea and Italy, two countries that spent little to nothing in Y2K remediation and yet experienced the same level of low-impact issues as other western countries, shows that it was essentially just a panic-driven event and was a complete waste of investment.
With the GDPR panic now well and truly on, many companies are belatedly waking up to the issue and starting to spend left, right and centre in order to prepare themselves for the event. They are being pushed into an over-reaction in a frenzy that is being fed by some consultants in the area of data protection. It is always dangerous to allow the debate to be forced by those who can profit from it most.
Perhaps firms should take a step back and consider adopting an approach like the South Koreans and Italians. They should start by remembering that the GDPR is the successor to the original Data Protection Act of 1998, with which they are already in full compliance. This regulation is a significant step forward, but it is building on that solid foundation. This is not a total revamp but a broadening of the work that is already done.
The regulation itself is not prescriptive but is principle-based. Thus, it is not possible to have a checklist approach, whereby once you tick off all the actions, you have achieved compliance and can basically forget about it.
Instead, a key feature is that the regulation demands that companies are able to demonstrate compliance. This means that they must have the policies and procedures to monitor the way the organisation is seeking to uphold the six key principles of the GDPR.
These policies must be monitored and updated as the regulation is further defined by ongoing case law and updates from the Information Commission’s Office.
No regulation can remove all risk of a data security breach, and therefore this is not the standard that organisations have to achieve. Rather, they must show that they are using best practices for adhering to the GDPR and that they are treating this as a journey, not a destination. Regular and systematic monitoring of how an organisation is treating the personal data it is processing is key to showing that an organisation takes its data protection principles seriously and is doing everything it can to protect the rights of the individuals whose data it is holding. Rather than panicking over meeting an unachievable target in a very short time-frame, companies should be focusing on putting in robust procedures to protect data and to regularly monitor the effectiveness of these procedures and adjust them when necessary.
|