Read time: 5min
How I learned to stop worrying and love GDPR
Thinking about the looming GDPR compliance deadline brought to mind the phrase above, borrowed and adapted from Stanley Kubrick’s comically apocalyptic movie about nuclear war – 'Dr Strangelove'. (For GDPR substitute the bomb!)
Perhaps love is too strong an emotion for what is inevitably an additional burden for most businesses striving to keep abreast of the rules and regulations that colour everyday enterprise and practice.
However, after initial dismay at yet another bureaucratic hurdle to jump, my company along with the majority of our clients, partners and suppliers have already started to take the necessary steps to meet both the compliance criteria and of course the May 25th deadline.
So with more of a feeling of resignation than joy, I feel strongly that a positive and realistic approach is far better than fretting and putting off the inevitable.
So what are the changes from the long lived (and often forgotten) DPA and what are the steps that we all now need to take?
So in a pro-active manner, we have trawled through the plethora of information and advice floating about the web, tuned into ‘expert’ webinars and attended seminars but cutting through the cloud of information and advice floating about has been no easy task. As you might have guessed, one source of detailed but surprisingly clear facts is the EU website https://www.eugdpr.org whilst the GOV.UK site seems to offer little by way of up to date guidance.
What is clear and unequivocal in contemplating the changes is that GDPR certainly will give individuals far more control over their personal data and that is something we all have to consider carefully in terms of adapting our systems, policies and procedures.
So with this reality firmly in mind, what we feel to be the key concerns that affect us directly emerging from the flurry of guidance are:
- Having the capability to respond to personal data requests.
- Making clear to clients exactly what ‘consent’ will now imply in future where their data is concerned.
- Putting a data breach response system in place.
- Checking carefully that policies clearly state why personal data is being collected/held with particular reference to consent.
- Appointing a Data Protection Officer
This is exactly what we are already setting out to achieve by initially:
- Setting up an internal GDPR task group
- Enshrining compliance in our company policies & procedures
- Assessing/auditing our existing data holdings
- Extending the role of our existing Data Controller
- Setting out arrangements to meet the demands of Article 32 (accessibility)
- Putting a data breach incident response plan in place
- Clarifying clearly company mechanisms for meeting queries, requests and data erasure demands
In boiling all of this down to the bones, what emerges as a sensible strategy is to look at the compliance challenge as a virtuous circle made up of 4 key elements:
- Confirm new elements & requirements of direct relevance to you
- Identify sources & holdings of personal information
- Protect & manage information/data
- Establish robust data preservation & access procedures
Sounds simple – well its obviously not going to be an easy process for us all to go through - but by attempting and I feel partially succeeding in cutting through the clutter we feel better prepared than we were just a few months ago.
But GDPR is certainly here to stay and to end on another quote from the Dr Strangelove movie – ‘ I'm afraid this is not an exercise!’
Matt Baker is Deputy CEO at http://wearedestination.comback to articles