03 May Data governance
It seems hard to believe that it is three months since we last touched on the topic of GDPR. When in February when we asked the question ‘Are you ready for GDPR’ the implementation date seemed a long way away. Now with a few scant weeks to go the pressure is on to be GDPR ready by 25th May.
With a recent survey revealing that 39% of UK businesses don’t currently expect to be ready in time, that’s a lot of last-minute preparation. However, on the plus side UK preparedness is ahead of Europe with 54% of European organisations expecting to miss the deadline. Perhaps more worryingly, 14% of UK organisations are already anticipating being fined as a result of lack of GDPR compliance.
Those whose preparation is somewhat lacking would do well to head to the website of the Information Commissioner’s Office. This not only contains a ‘12 steps to take now’ guide and data protection self-assessment tool kit, it also provides guidance in respect of a range of scenarios. Even if you have previously visited the ICO website it is worth taking another look as the guidance is continually being updated.
For example, in April the ICO took the opportunity to expand the section on accountability and governance. Starting with the comment that “Accountability is one of the data protection principles” the guidance leaves organisations in no doubt that GDPR is a boardroom issue. The list of potential measures to be taken include adopting and implementing data protection policies, carrying out impact assessments, and adhering to relevant codes of conduct; all areas which flow from strong boardroom oversight. This section also includes a handy checklist which starts with “we take responsibility for complying with the GDPR, at the highest management level and throughout our organisation.”
Whilst some organisations are rushing to complying with GDPR, those who believe they have already ticked all the boxes should not be complacent. GDPR is not a finite exercise. Rather, it is an ongoing process which will evolve in line with organisational and system developments. As result, boards should consider strategy and developmental changes in the light of GDPR requirements. As ICO commissioner Elizabeth Denham recently commented “across the world people are beginning to wake up to the importance of personal data, and it is up to us – as regulator and those striving to comply with the law – to keep that fire burning.”