In the latest of our GDPR Blogs, Peter Loomes, GDPR Practitioner, provides an overview of his recent survey results. When we look at the time businesses think it will take them to prepare against the actual time left, the immediacy becomes very clear.
As I write this on 13 April 2017 there are 281 working days to the ‘go live’ of GDPR on May 25, 2018. Why is that significant? Well, taking weekends, bank holidays and annual leave into account there are about 252 working days in a year. I’m sure you keep hearing this, but it isn’t long. No really it isn’t long at all.
I recently conducted a survey across a range of businesses, large, small, privately owned and public sector. Of those that responded 25.6% felt that implementation of GDPR would take a year or more. Further to this, another 16.3% suggested that it would take them 6 months to a year. Then when asked about resources, 37.2% said they hadn’t considered allocating resource yet and a further 23.3% had resource allocated, but they were not fully dedicated to GDPR. Oh, and finally only 21% of businesses acknowledged that they understood what GDPR is. Those that thought it would take about a year were not too far off the mark. But if businesses are acknowledging that GDPR will take so long to implement why have so many not started? Is it simply that they don’t know where to start?
Our advice to businesses is to start the work as soon as possible. Here are three areas to consider:
Understand where data is, why it is collected and what it is used for. In addition, understand where data is obtained and if it is passed on, who to, how and why. Expressed In that short sentence it seems simple, but it rarely is. This task can take some considerable time. Without this information, it will be impossible to assess the associated risks to the data. It will also be difficult to scope the amount of work the organisation will have to do.
Engage the senior management. After all they will need to support the implementation and ongoing work. Avoid using the scare stories and details of potential fines. This is wearing thin. Senior management need to understand the risks the organisation is exposed to and the realistic mechanisms to help reduce these risks.
Start to look at your security and organisational governance. Cyber Essentials is a good start for security. The five controls are acknowledged as reducing the risks of successful breach of systems by 80%. The Information Commissioner, Elizabeth Denham acknowledged this in a speech to the Institute of Chartered Account in England and Wales on 17 Jan this year. She said: “I would also recommend consideration of the government’s cyber essentials scheme”. GDPR considers security and processes to secure data alongside processes to manage the use of data. So, it is undeniable that Cyber Essentials would be a good start. Add to this IASME governance, which will help your business implement many pf the governance processes that will support GDPR. You will be well on your way to achieving the objective of GDPR compliance.
At this stage GDPR is nothing to fear. The implementation is nothing more than common sense approaches to doing the right thing. The only time to fear GDPR is when the ICO comes knocking on the 26 May 2018 and you’re still planning.