I always think data protection is a bit like housework. It's only when you don’t do it that it becomes noticeable. The dust starts to gather, the floors get sticky, windows get streaky and visitors start refusing offers of cups of tea on (unspoken) health grounds. You only notice the gaps in your data protection practices when something goes wrong and you have to handle the fallout.
That has been the way with data protection in Europe over the past 20 years. Companies mostly muddled along. Very few houses were spotless and no great harm came to most of them.
Carrot and Stick approach in GDPR
The GDPR is clearly aiming to change all that. My reading of the legislation is that its adopting a “carrot and stick” approach.
The stick is, of course, the headline-grabbing fines that can be levied on businesses who fail to meet their data protection responsibilities. 4% of global turnover or €20 million is a significant figure for any company. It’s no wonder that a lot of the focus in the press has been on that.
The carrot is more interesting. The GDPR is clearly setting the groundwork for more self-regulation by introducing tools that companies can deploy to ensure compliance. (I’ll cover these tools in more detail through the series. Sign up below so you don’t miss any updates. Contact me if you’d like to suggest a topic).
Companies are wondering what they need to do to be ready for May 25th 2018. No-one wants to be the first to fall foul of the new regulations and get caught up in business limiting headlines themselves.
Three Golden rules to get GDPR ready
These THREE GOLDEN RULES will get companies off to a great start.
- If you are collecting personal data of your customers, employees or suppliers RESPECT IT. DO this by ensuring your employees always handle the data correctly and carefully. Understand the principles of data protection and apply them rigorously to all your data and across your organisation.
- Get the RIGHT GOVERNANCE STRUCTURES in place for handling personal data. Assign a qualified data protection officer and carry out a Data Protection Impact Assessment. The GDPR requires these for all companies with more than 250 employees. Your data protection officer doesn’t have to be full time. They can be contracted into the company for the role but they need to understand data protection. They need to be capable of carrying out a comprehensive DPIA and they need to report into a senior management level in the company. A good DPO and a well-executed DPIA will give you an action plan for GDPR readiness.
- Ensure your LEGAL FRAMEWORK is clear. Know whether you are a data controller or a data processor and ensure you understand and meet the requirements of your role.
Of course, it’s easy to make this sound simple and much more difficult to actually apply these rules so that they are effective. None of these activities will happen overnight. There is already a shortage of qualified and knowledgeable DPO so the queue for their services will be long (book now to avoid disappointment!). But I am convinced that the companies who start right now and get these three fundamentals right will be the companies best prepared for DP-Day in May 2018.