Oh my goodness, “lies, damned lies and statistics”. The surprise in this headline is that it implies that 39% are ready, to which we would associate some doubt! Why is that?
Well, first, because most working people are busy enough just keeping pace with their everyday job without having to take something else on board. As a consequence, it is easy, and very human, to keep your head down and wait for some external force to make you take notice. We have good news for you, if that is the case, as the purpose of The DPO Centre is to provide the exact additional resource you will need to deal with the GDPR.
Second, because if you do not know what it is, then you might reasonably carry on assuming that it does not apply to you; let other people worry about it! Fact is that it is almost impossible to run any organisation without holding some personally identifiable information, even if it is only of your own staff. Only an initial briefing will put you in a position to assess whether you need to comply, and if you do, then an impact assessment will establish your required approach. You must also ascertain (as a matter of urgency) if you are a Data Controller or a Data Processor (or both), so as to ensure that (amongst many other things) your contracts with your Controller or Processor partners cover the many new liabilities that GDPR creates. More on this can be found here.
Thirdly, there is the reaction to an ever increasing burden of regulation which resents and resists what appears to be more and more bureaucratic control, requiring more of your scarce time. Once again this is very human, but we believe we can show you that these regulations are sensibly drafted and probably essential protection against the ever increasing criminality in cyber space. If you cannot stop crooks burgling your house, then you have to fit locks!
Next, there is the reluctance to change embedded in all of us. We like things as they are, familiar and certain, embracing something new will take an energy and commitment that we would prefer to avoid. With GDPR we have to say that this is not an option, but the role of Data Protection Officer does contribute a new resource that will manage a great deal of the change for you, continue to advise Chief Executives and monitor progress.
So our fifth heading becomes cost, and there is the unavoidable fact that any compliance process has an associated cost that we have to either accept as a price of doing business, or stop what we are doing. Once again, it is understandable that any organisation under revenue pressure will resent that, and seek to avoid it. So our objective is to limit and constrain that cost as far as possible with structured and professional procedures.
What we must close with is the risk you are taking if your organisation is not ready, if you are not planning to comply – whether by the effective date of 28th May 2018, or at all. We are not talking about fines, though that is the headline grabbing “fear” feature in most GDPR commentary. No, the far greater risk is that inaction will mean that it is more likely that you will be breached, and then, if you have not complied with the regulations, you will be entirely exposed to demands for compensation by those affected, possibly through ‘ambulance chasing’ lawyers recruiting affected individuals and launching class actions. Only future case law will then determine the cost, but it could be considerable, and is likely to cause the demise of weaker operations.
You may be a skilled risk taker, but do you really want to risk your business?