February 8, 2018 Ready for GDPR?
Are you ready for GDPR? It’s a question which seems to be cropping up on an ever-increasing basis as the implementation date of 25 May gets ever closer. And yet, despite all of the publications, blogs and updates there still seems to be an element of confusion about what GDPR means for businesses, clubs and societies.
Arguably one of the main reasons behind this level of confusion is the fact that GDPR is not a prescriptive ‘one size fits all’ application. As a result, whilst the Information Commissioner’s Office (ICO) has issued guidelines, it is up to every organisation to implement the new General Data Protection Regulations in a manner which is appropriate for their business. For example, a small society which merely holds names and addresses of members in order to send out invitations to events will have very different requirements from an organisation which holds financial, medical or other personal information and which may regularly share that information with third parties.
Having said that, both organisations will still be subject to the core GDPR principles of respecting personal data and instilling a culture of data security across the entire organisation. Nevertheless, because there is no one single pathway to GDPR, implementation has led to a preponderance of myths which are acting as a distraction from the core purpose. In an effort to bust these myths, in 2017 the Information Commissioner published a series of blogs covering areas such as consent, data breach reporting and subject access rights.
The key messages which arise from these blogs relate to trust, respect and common sense. The final blog posted on 22nd December also makes the important point that the endpoint for GDPR isn’t 25 May. Rather, GDPR is an ongoing requirement which will need to be continually reviewed and flexed in line with organisational strategy and operational needs. This places the responsibility for GDPR firmly in the hands of the directors and executive team. Moreover, the pathways followed in order to build an understanding of the way in which data is held and manipulated within an organisation will be similar to any other risk appraisal and mitigation exercise; and therefore something with which leadership teams should already be very familiar.
As the ICO takes pains to stress, GDPR is not a complete unknown, building as it does on previous data protection regulations. Yes it will require organisational commitment, understanding and staff training but in an increasingly data driven world, those steps are vital anyway for businesses which are looking to maximise their opportunities.