GDPR is coming - but what is it and why has it come about?
Unless you have been hiding from the CIA in an undisclosed secret location, ‘finding yourself’ in a distant part of Tibet, or trying to figure out how on earth fidget spinners are making someone a LOT of money, you have almost definitely come across GDPR, or, to give it its full name, the General Data Protection Regulation.
Covering every social media surface like the kind of rash you would only show a doctor and punctuating daily security news with an endless array of marketing promises around compliance, GDPR has become a feeding frenzy and just about everyone has a product, service or opinion that’s going to guarantee compliance ‘before you get fined 20 million euros’.
The problem is GDPR needs much more than whizz-bang products. It’s about getting on top of information management – properly! This, I suspect, is why, contrary to the percentages of organisations attesting to being ‘ready’, many are nowhere near ready enough for the big bang in May 2018
Proper information management is, after all, hard work, laborious, costly and inglorious.
Something also worthy of note is that in spite of all the offers of compliance, no-one has all the answers. As I see it, this is down to two key elements. Firstly, most of the answers need to come from you, and secondly, there is no GDPR certification programme providing a checkbox-based “get out of jail” card. Compliance, therefore, is a tad open to interpretation (i.e. how you interpret the regulation and enact controls accordingly in the context of your organisation) and in truth, it is likely that we won’t fully understand what compliance really looks like until the first few lucky souls have visits from the Information Commissioner’s Office (ICO) post May 2018.
So, in the spirit of trying to be useful, I have tasked myself with pulling together a series of blogs over the next few weeks in an attempt to dispel some myths and provide some clarity. Based on the expert opinion of others, the blogs will be focussed on how those of us living in the real world (the one with limited resource and budget) can get to a better place for GDPR, without haemorrhaging cash on consultants to help figure out what on earth Brussels want from you.
Here we go then, an open discussion and sharing ideas to help make your path to GDPR a little less painful. Please pitch in by the way – the more opinions and discussion around this topic the better…for all of us!
Remind me…what’s GDPR again?
GDPR came about largely because the 32 states of Europe were all trying to fudge their way through regulating the way businesses safeguard personal information with outdated legislation.
In the UK, this was the Data Protection Act 1998. Yes, that’s 1998 – the year Google was founded, a lady with a beard won the Eurovision song contest, David Beckham got a red card at the World Cup against Argentina and Leonardo DiCaprio pronounced himself “king of the world” shortly before watching his world sink to the ocean floor having just hit an iceberg. That’s a lot of stuff for any year, but cybercrime had yet to show just how much a threat to privacy it would later become.
Think how far computing and our reliance on digital services in everyday life have evolved since then and it is clear there was a problem. The average UK citizen is estimated to have as many as 118 online accounts that potentially include information that could identify them. And that’s before you even try to discover information held that is not linked to an account they own – local council, credit cards, marketing agencies, current insurers, ex-insurers, that company that gave you a loan and the three that didn’t – the list is endless.
Something clearly needed to be done to drag the law kicking and screaming into the 21st century, so after some light discussions in-between croissants and frothy beers, the European government actually come up with something pretty good – GDPR. Designed to ensure the privacy of individuals, it comes into effect (i.e. legally enforceable by the Information Commissioner’s Office) on 26 May, 2018.
The legislation was finally released last summer and a full copy, in all its glory, can be downloaded for free.
Can’t be bothered reading it?
I’m not sure I blame you to be fair, and I’m happy to be a guide of sorts, but I would suggest that if you are going to have anything to do with the way your company goes about getting (and staying) compliant, you give the full GDPR document a read (after a couple of goes it starts to grow on you).
Either way, there are lots of things to consider and it’s not easy to figure out where to start. So in the next blog, we will have a look at the basic principles of the regulation and try to identify the primary challenges it creates for organisations.
The views expressed on this page do not constitute legal advice and are intended for information purposes only.