A lot of people thought that the ‘Leave’ vote on June 23 2016 meant we could start forgetting about Brussels red tape.
However, that’s just not true. If you want to trade in Europe, it doesn’t matter if you’re American or Lithuanian, you have to comply with the EU as a trading bloc’s laws.
Nowhere is this truer than in the way any sort of company works with customer data. If you have any information about customers, then that counts as data, and a set of legislation is coming down the highway at full speed that you need to address as a consequence.
That’s the General Data Protection Regulation, GDPR – which, to quote the UK’s official privacy watchdog, the ICO, “will apply in the UK from 25 May 2018” – and which also tells you on its website that, “The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.”
From this month, October, you have six full months to sort it out. However, astonishingly, all this is still news to the vast majority of British business, which has simply not engaged with GDPR at all. A recent news report, for example, revealed that nearly a quarter of small UK businesses haven’t started preparing for it, while one in 10 enterprises with 500 or more employees are in the same position, a survey by storage firm NetApp found.
A project manager tool to help your GDPR internal audit
You probably know the consequences of falling foul of GDPR when it comes into force, such as the fact that if any company is guilty of a data breach it will face a fine of up to €20 million or four per cent of their annual global turnover, whichever is greater, compared to the current maximum UK penalty under our existing GDPR equivalent, the Data Protection Act, of £500,000.
But I don’t want to rehearse all that again. What is probably more interesting is to consider what practical steps firms can take now to get started here.
The good news is that we have a way forward that is not a magic bullet (any vendor message that pretends it is for GDPR is misleading).
What EASY can offer is a tried and trusted way – a way successfully followed by 400 German and Austrian organisations – to help you go into your environment and properly document and project manage your data governance activity, the activity you need to perform to get on top of this.
The way we’re going to make this possible is via our close partnership with a sister EASY company, otris software AG. Otris has been selling a fantastic software to manage the German data standard that GDPR is an echo of, called otris privacy. That software works by providing a workbench for the internal consulting process that you need to undertake to get GDPR-ready. This is something you can get from us today to get the GDPR ball rolling.
What can otris privacy do? Think of it as the support tool for the internal consultancy project you’re about to kick off. You’re going to talk (send questionnaires, collect data) with all relevant data stakeholders inside your four walls and find out where they are with GDPR compliance. You will then document that in detail, producing a highly granular snapshot of what’s what. And you can then triage, setting up a traffic light system where you will know what’s green (compliant), amber (a few questions to settle) and red (sort this or we are at risk on GDPR Go Live!).
Remember to use something!
Actually, this may be less of a painful process than you might think. But you still need to undergo it to ensure you are ready for when the auditors come in and ask for proof of process and GDPR leadership. You will also, in parallel, need to be implementing the other aspects of GDPR like assigning Data Controllers.
Personally I think GDPR is a very sensible uplift to the DPA standard and one that is long overdue – it’s ridiculous that we have so much difference in quality of data protection across Europe and I have a lot of time for the way the Germans have been thinking about data and its misuse. As I said, GDPR is in many ways a superset of the Federal Republic’s work on data protection, the famous Bundesdatenschutzgesetz.
Be that as it may, GDPR is a real challenge Britain has to deal with, and if you haven’t started now you won’t make that May 2018 deadline.
What you can and should do is use something like otris privacy, or an equivalent tool to start a process to offer the authorities as evidence you are not sticking your head in the sand if they come knocking.
Good luck with your GDPR work!
The author is Sales and Marketing Director at document management leader EASY SOFTWARE UK
EASY SOFTWARE UK recently won the prized category of ‘GDPR Ready Company of the Year’ at the 2017 Storage Awards for the solution described in this blog
‘The Storries‘ XIV were announced at a gala awards ceremony at The Grand Connaught Rooms on June 15
More information on EASY SOFTWARE and GDPR preparation can be found here