Drowning In GDPR?

Posted by Chris Scott

I already know what you are thinking, not another GDPR blog! If you’re anything like me you’ll be getting about five emails a day, scaring you into the belief that the new EU regulation is out to get you and failure to comply is going to cost you your business. Figures like 4% of your global turnover of €20 million fines are in every piece of literature you read on the subject. There is information overload and many conflicting views of what you can and cannot do under the new regulation.

As a Data Protection Officer, I work closely with clients and partners to understand their concerns and what actions they are taking.  I also attend forums, conferences and meetings to look at the issues surrounding GDPR.  I offer free consultations to clients so I can not only discuss the fundamentals of GDPR but also to further understand why there is so little urgency.  After lengthy debates and listening to various opinions it is clear that “Paralysis by Analysis” is impacting businesses.  Questions such as; “how does GDPR affect my business?”, “What is relevant to me?”, “How do I identify all of the businesses Personally Identifiable Information (PII) and protect that information proving that I comply?” and “Where do I start?”

Overthinking any situation or problem only serves us to analyse our options in more detail, which then leads to procrastination or as I like to say, “It goes into to the too difficult bucket”.  This is largely what is going on right now with GDPR.   If we break the regulation down, we have 99 Articles and 177 recitals to consider that need applying to our business somehow.  That is on top of our day jobs.  Then, if we take the overwhelming influx of information, opinions and different interpretations around GDPR you suddenly find yourself not being able to know where to start and then you’re back into analysis mode without moving forward, which leads you to, you’ve guessed it “Paralysis by Analysis”.

What should you do if you find yourself in this situation?  Firstly, if you think about GDPR from a risk perspective, the first question is; “does the risk of not doing anything outweigh the risk of doing something?” Answer; “yes!”  We already know GDPR has been designed to be effective, proportionate and dissuasive.  Therefore, not doing anything is not a risk worth taking if you value your business.  The talk amongst like-minded data practitioners is that many businesses are playing the waiting game.  Once we start seeing an influx of non-compliant companies, or worse still those that have been breached and been issued harsh fines, we will then start to see companies taking this seriously.  If you are one of these businesses, stop! You are taking a huge gamble.  GDPR cannot be overturned or repealed by any government as it has been agreed by all member states within the EU.  This means every organisation within the EU or those handling EU citizens’ data has to comply with the regulation and there is no compromise.

When rolling out PCI DSS and GDPR, the hardest thing I found was getting started.  The analogy often used when implementing a new standard, making significant change within a business or in your personal life is the “rocket going to the moon” example.  More energy and effort is expelled in the first moments of launch breaking from the earth’s gravitational pull than what is used for the entire journey.  A lot of companies I speak to are in this position and are finding it difficult to know where to begin.  Although there is an abundance of information it tends to raise more problems and questions than solutions. Companies trying to outsource GDPR tend to find that there are plenty of consultants to choose from that will provide a gap analysis. However, there isn’t the right blend of services to be able to highlight the focal areas, safe guard you and your customers from the threats and then able to report those threats to the right audience so preventative measures can be budgeted, agreed, planned and implemented, whilst raising the right level of awareness.

This problem is solved by what I refer to as the GDPR toolkit and it should be in every service provider’s kitbag when working with customers.  If you haven’t taken action by now the chances are that you need some help to get you started.   You need to understand what the roadmap to achieving GDPR looks like for your organisation.  You will need to be able to demonstrate to your board that every pound spent on compliance will save and protect your business from any exposure to breaches, reputational damage or proportionate and dissuasive fines.   You will also need the confidence that whatever technology implemented will serve and protect the needs of your business.  The GDPR toolkit is an essential set of services that help you gain compliance in the shortest time whilst having access to industry leaders to provide guidance every step of the way.

If you have not already taken action to move your business toward GDPR, you are not alone.  With a regulation of this size, it is difficult to find the necessary time in our busy schedules to know where to start.  A GDPR toolkit will help you get started, as it will allow you to determine what help you need and then tailor the services, which put you in control.   Once you have determined the path the rest will be plain sailing.

To find out more about how The Bunker’s GDPR Toolkit can help you prepare for GDPR compliance click here.