Will it be a hard or soft GDPR?
The new General Data Protection Regulation (GDPR) will come into force in May 2018 and will bring with it onerous fines of 4% of the previous year’s turnover or €20 million, whichever is the greater, for non-compliance.
Consult Hyperion, a data management consultancy, calculates that tier one financial institutions in Europe could be fined nearly €5 billion in the first three years following GDPR going live.
But with data breaches being part of business as usual for the majority of organisations, how likely is it that every company will be fully prepared for the 25th May 2018 deadline?
The truth is that most organisations are on a journey to get their data into shape for all sorts of reasons, not least compliance with the GDPR.
The new regulation has created a focal point for a great unravelling (to steal another term from Brexit) of corporate data, which tends to be stored in a range of repositories and on different hardware including smartphones as well as paper.
The new rules mean companies need to make information about how data is collected and retained more transparent. Customers will have the ‘right to be forgotten’ and companies will face new rules about how data relating to children is stored.
At an event entitled ‘GDPR – A Scary Regulatory Challenge, or a Useful Governance Framework?’ hosted by Qurated Network, those in charge of large-scale projects shared their views of the challenges presented by the new regulation.
The overwhelming view of the panel was that GDPR compliance has been an opportunity to ‘join up’ all of the previously separate initiatives to protect and audit data including legal, cyber and regulatory compliance.
In their view, it’s been a chance to introduce a new governance model that will make it more viable to know what data exists, who owns it and who can access it. A soft GDPR (being able to demonstrate that the right steps are being taken with more time to fully comply) rather than a hard GDPR (fully compliant on 25th May) appears to be very much on the cards.
One of the most complex areas is to work out where data may be held in the extended supply chain. Supplier contracts need to be examined and brought up to date with relevant information where necessary.
Another minefield facing organisations is the need to show clear opt-in consent from customers to use their personal data for particular purposes. This will be an area fully in the spotlight as consumers will no doubt be keen to highlight transgressions on highly visible social media.
The need to be compliant with the GDPR will therefore affect everyone in an organisation, from IT to legal and from regulatory compliance to marketing. From a PR and communications point of view, organisations will need to be prepared for some potentially damaging episodes ahead.
Written by Judith Massey, Executive Director