Reflections of a GDPR Data Protection Officer (Part I of III)
As the year 2017 is ending, I sit here in my corner office and began reflecting on what has transpired in the world of the EU’s General Data Protection Regulation (GDPR) and the apprehensions on what the coming year 2018 will have in store for me, my colleagues, the organisation and the business.
I must admit that the not only in the organisation but the industry, the focus on privacy strategy, asserting ownership on data related issues and the rights of the data subject have been hyped beyond belief. The major stakeholders, i.e. the IT department, HR, marketing have placed a claim on their responsibilities about doing the right thing as senior management instead of focusing on the accountability issue of the GDPR implementation. The GDPR project leader classified the stakeholders in three categories; the Bears, who were self-starters, the Horses, that did what they were told, and the Donkeys who needed guidance all along.
The most comprehensive personal data protection law ever seen
The countdown will begin when we all return from our Christmas and New Year break, with the implementation only five months away from establishing the complete and integrated GDPR infrastructure. It was with an early start that the board of directors decided to use the GDPR as an argument to achieve competitive advantage.
Our chairman had the vision that since the primary aim of the GDPR was both to act as a privacy protection safeguard for consumers and citizens and that the EU was way ahead of the data privacy and protection game, he wanted to reap the benefits of the early implementation. Therefore we aligned GDPR with our globalisation framework and the global economic and political interdependence strategy.
Long overdue facelift of the IT structure and our databases
In the beginning, our chairman’s vision on the GDPR had a significant (read: negative) impact on the business primarily due to the cost perspective and the resources used. However, when the different business units could see that we addressed a vast number of manual data protection practices and IT issues, the negativity was eventually drained out, because many positive elements of IT integration and process automation came to the drawing board because of our GDPR implementation. Later, the entire organisation could see that the entire GDPR implementation effort provided the organisation, with a uniform IT platform and the streamlining of the data privacy and data protection processes was an encouragement. We got a long overdue facelift of the IT structure and our databases.
The cultural and disciplinary issues in many areas of the organisation was a shocking surprise, notably because our GDPR implementation required a higher level of transparency and accountability towards the entire management team and the customer base. We can however now see the benefits, both organisational and behavioural, as we look forward to delivering greater benefits, control, and structure in our data and IT activities. At the same time we will be able to provide the data subject with greater empowerment over their personal data.
Organizations are accountable on how to handle personal data
Apparently, GDPR is so vital that even Her Majesty the Queen focused her attention on it in her 2017 speech. The UK government despite Brexit, is committed to legislating and incorporating the GDPR into UK law.
These and other significant moves provide global businesses with the assurance that due to globalisation, the corporate intention to meet the GDPR obligations shows no signs of slowing down, on the contrary.
Our company was so fortunate that we started the implementation several months ago. What it has given us the opportunity to design and streamline data handling across the organisation. Our focus on data transfers and the binding corporate rules have made it easier to share data safely, and at the same time, we have introduced more stringent data protection regulation in the entire organisation to suit an increasingly digital age.
I understand that other companies have not been that fortunate to get a head start in the GDPR implementation, and to them I say that it is best to consider GDPR implementation as a journey. Some of my colleagues are distressed that importance or relevance do not design their user data. To them, I also reiterate the need for a paradigm shift in the GDPR implementation project plan that embraces the realities of the digital age that will affect all aspects of our corporate lives on cyber and IT security.
The EUGDPR Institute has several three-day DPO seminars planned that well could provide you with the guidance you need to stray your GDPR journey in a structured and integrated way.
I will continue the reflections in the next two blogs here on LinkedIn next week
Reflections of a GDPR Data Protection Officer (Part II of III)
Staying with digital, 2018 will most likely see an emphasis on protecting digital identity and personal data in the field of international privacy, as this gets more strategic attention in board rooms. Both public and private sector entities, in increasing numbers, are prioritizing digital and cloud solutions for efficiency gains. Moreover, GDPR compliance is not self-evident and where some say it is over-prescriptive, others claim it is non-prescriptive, underlining that there is no "black-and-white" compliant or non-compliant state. There are only degrees of interpretation. 2018 should see a body of practice emerge and develop to accompany the regulation, as companies take more responsibility for their internal processes to align and satisfy the body of the regulation. Furthermore, we should expect EU regulators to become more conversant as well as active with greater capability, know-how, and guidance.
So, why would the UK implement EU-wide legislation following the beginning of Brexit negotiations? Firstly, it's important to understand that the UK was (and still is) a major influence behind the new European legislation, so it's natural that it would still adopt the GDPR even with Brexit going ahead. Secondly, with UK/EU legislation lining-up following May 2018, the UK will maintain its ability to share data with other members of the EU – for example, police forces and other international authorities. Conserving this ability is imperative in the fight against terrorism and other cross-border crimes.
Reflections of a GDPR Data Protection Officer (Part III of III)
The GDPR will affect organisations across all industry sectors, and all must ensure they're up to speed by its implementation next year. Whilst the new legislation will bring with it some welcome consistency for multi-national organisations and employees working across Europe, the legislative burden of new rights for individuals and fines of 2 - 4% global annual revenue for breaches are likely to take a toll.
For this reason, it is important that organisations avoid accidental breaches by ensuring that all employees are prepared and understand what they need to do to remain compliant with the GDPR. Human error (undoubtedly in the form of lack of understanding and knowledge) has proven to be the main cause of data breaches in years past, and so-thought 'harmless' mistakes still make-up a large percentage of security law violations and consequent fines.
Organisations need to act quickly to ensure they're not caught out next May and can take advantage of DeltaNet International's GDPR eLearning courses to ensure they're up to speed. We offer three GDPR training courses which together form a comprehensive package covering your preparation for the GDPR, what your organisation's accountability under new GDPR legislation will be, and a microlearning course created to clarify the new legislation's 'right to be forgotten' regulation.
The courses outline the UK's Key Priorities for the GDPR, which are:
- Ensuring data protection rules are suitable for the digital age.
- Empowering individuals to have more control over their personal data.
- Giving people the right to be forgotten when they no longer wanted a company to process their data.
- Modernising data processing procedures for law enforcement agencies.
- Allowing police and the authorities to "continue to exchange information quickly and easily with international partners
Failing to prepare for the GDPR could have disastrous consequences for organisations; with punishments for non-compliance including fines of up to €20m or 4% of annual turnover, whichever is greater. It is not just the fine however that could be potentially damaging to organisations but the reputational damage suffered and adverse publicity.
Our GDPR training will help you to prepare for the GDPR in the correct manner and we will be adding to our portfolio of courses as more details come to light about exactly how the GDPR will affect organisations.
On that note, and this being the last editorial of the year, it remains for me to wish you all a splendid festive season and New Year! At the IAPP, we look forward to serving you all come 2018, which for many will be a real beginning come May.