With exactly 100 days to go before the GDPR goes into effect, the risks of being unready are growing exponentially. The Information Commissioner’s Office (ICO) is clear that it won’t be lenient with ‘wait and see’ organisations, who are intent on finding out what GDPR non-compliance might mean for someone else before they take decisive action on it. And while that might sound like a minority viewpoint, some estimates suggest that just 10% of organisations are GDPR ready as of today. Meaning that a great many are facing problems on May 25th, and quite possibly fines on the 26th.
To avoid that, action is essential. But panic isn’t. A focused, strategic approach to understanding what data is held, how it’s managed and who can access it is the first step on the path to GDPR readiness. What’s more, it’s the best way to turn GDPR from an obstacle into an opportunity. And, as the time to May 25th ticks away, there are some key markers that can be used to measure progress.
Marker one: 90 days to go
The first thing to consider is a thorough audit of what data is owned or used, where it is stored, how is used, and by whom – keeping in mind the finding that many organisations hold six times the amount of data they need, and three times the amount they should.
The most likely cause of GDPR fines is poor data protection or being unable to demonstrate compliance. Knowing where these gaps exist relies on a thorough understanding of your data estate (including the difference between owning and using data). And on simplifying data management – either through minimising the amount of data held, or the number of people who are allowed to access it.
If this process is not already underway, organisations should begin immediately and look at data consent and lawful data processing options, and the creation of a framework for how data can be handled. This will enable any organisation to document every data decision, which will be essential should they be asked to prove compliance.
Marker two: 60 days to go
Engagement and unambiguous leadership support are vital to an organisation’s GDPR success. The Data Protection Officer must be independent and empowered to do their job.
Part of this is gaining buy in from across the organisation to put in place policies and protocols that will ensure GDPR compliance from day one.
To boost this, it’s a good idea to use the 60 days to go marker as a spur for a DPO led GDPR refresher course, ensuring that everyone is on board and up-to-date.
Marker three: 30 days to go
Even with buy in at the highest level, there’s no guarantee that knowledge and understanding will trickle down through the organisation. Or indeed to third parties, who must also be able to prove compliance and GDPR readiness.
That’s why, at the 30 days marker, it makes sense to begin a GDPR awareness month. This should be aimed at getting all staff and partners up to scratch with what the regulations require of the business, and of them specifically.
Minimum risk, maximum reward
All of these tactics are directed at a central goal of understanding where risk is, and minimising it. Because although data is valuable, the more of it an organisation holds, the more likely there is of a risk emerging – whether through a lack of consent to use it, leaks, or misuse by uninformed staff.
Responsibly used data can be an organisation’s biggest asset. With a focused, intelligent approach to GDPR prep, it becomes much easier to make that happen.
Florian Bienvenu, SVP EMEA, BlackBerry