Many organisations have already put together GDPR teams, appointed officers, and started on a journey of discovery with the aim of ensuring they are compliant when the new data protection legislation comes into force in May next year.
Although it’s wonderful that companies are preparing well in advance, many are not going about it in the most effective and efficient way.
Rather than starting immediately to make sure any data they capture from ‘today’ is compliant, many are immersing themselves solely in the ‘discovery’ process – conducting a company-wide analysis of how they use data, who they share it with and how they should reconfigure their systems and processes. This could involve, for example, working with a specialist consultant to map out how data flows through the organisation, identifying key problem areas, and making sure any elements that threaten compliance are reviewed, and that new processes are devised and implemented.
Discovering how compliant the current state of your data systems and strategies are and coming up with solutions to get them up to the standard GDPR will demand is a noble and highly worthwhile activity. However, depending on the size of your organisation or database, it could take a long time. And while you’ve been focusing on the big picture at the macro level, nothing has been happening at the micro level.
Until you have completed the discovery process and implemented any recommendations, all your existing data, along with all the new intelligence your business captures, will be governed by your old protocols – or lack of them. As such your GDPR compliance will be in question.
This is a problem because the clock is ticking towards GDPR day in May next year. The longer you leave it to actively validate the data you currently hold and ensure that new data is captured with a sufficient level of consent, the less compliant data you will have when the new rules kick in.
If the discovery process takes longer than expected – and we are in unchartered waters here with no real idea of the storms that may lie ahead – you could reach a situation in May when you can only use a small proportion, if any, of your data because you’re not sure it is GDPR compliant.
But don’t panic. It doesn’t have to be this way. As humans, we have a natural tendency to prevaricate and fuss. “We must get our systems sorted before we can start collecting compliant data!” But this simply isn’t the case.
By all means, thoroughly examine your systems and strategies, but do this alongside making sure that your existing data is compliant with GDPR and that the new data you capture is collected with the appropriate consent of the subject. In the case of GDPR compliance, you can multitask. In fact, not doing so could well prove to be reckless come May 2018.
This advice isn’t based on the ramblings of a lunatic or someone who doesn’t know their GDPR from their GDP. This is clearly indicated in the ICO document ‘Preparing for GDPR – 12 steps to take now’, yet it still seems to be being ignored. These guys are experts for goodness sake!
Step one simply advises you to make sure everyone is aware that the regulation is changing and the ramifications of non-compliance.
Step two is the big one. It tells you to get to grips with your existing data: “You should document what personal data you hold, where it came from and who you share it with”, essentially to establish whether it’s compliant. This should also include making sure the right consent rules are in place for new data.
From steps three to 12, the ICO goes on to advise on reviewing your systems and strategies – the discovery process. But these should be carried out alongside step two, because you need to make sure that as much of your data as possible is compliant regardless of what’s happening with the other processes.
For example, if you have a website with a capture form, fix it now to make sure it provides the right details in terms of consent and data use. If you start doing this and other immediately fixable stuff now, at least all your new data and hopefully a lot of your existing data too will be compliant and usable beyond the GDPR deadline. Considering that businesses are increasingly reliant on their customer data, this would certainly be a good thing, so act today.