Almost certainly you will not know – why would you? GDPR introduces totally new rules and concepts so you will not have catered for them before. The very first starting point being that the leadership of an organisation has to understand what those are and how they have to be managed. The DPO Centre addresses that with a “C Suite Briefing”, and you must have the opportunity of receiving that before you can start to understand what its impact might be. Then commissioning an impact assessment will enable you to discover the detail from within your data.
However, in the absence of that, expect to have to review your organisational plan under at least five headings, starting with strategic changes. There are aspects of GDPR that may quite simply disqualify certain approaches to markets and perceived opportunities that, in the very worst case, will put some companies out of business. That is not the purpose of the regulations, and with proper guidance there are normally perfectly legitimate ‘work arounds’, but there are very few Boards that will not be required to take personal data privacy into account when reviewing their future strategic direction.
Aligned with strategy will be policy changes, but these are likely to be very specific in terms of legal documentation, website presentation, staff procedures, customer relationships and an enhanced concept of the duty of care within an organisation. It is also a question of the adoption of dictated policy through the agency of a new external regulator, very little of which you will have embraced before.
The third heading will be staff changes, not necessarily physically being replaced – though in certain circumstances that might prove to be the case – but significant changes in reporting and responsibility. Indeed one of the most dramatic impacts of GDPR is going to be the manner in which individual departmental managers are going to be responsible for defining the information they need, justifying it, and subsequently ensuring it is only used for that purpose. They must now be involved in the “privacy by design and default” within any system, whereas in the past they might have been presented with a corporate ‘package’ that was common to all departments. That has to change, as does the associated responsibility.
Fourth, almost by definition – your data will change, either in form, content, location or future plans. It may be possible to limit the initial impact, but in some circumstances it may require urgent and expensive change. It is most unlikely that you will have the luxury of doing nothing. Analysing this is a vital feature of the impact assessment.
Finally, expect some change to your infrastructure, involving some expenditure on enhanced protection measures that are likely in any event to improve your cyber security defences.
The purpose of GDPR is to enforce change – with a very positive benefit for society, and thus all organisations that serve it. As such it will have an impact internationally, on everybody. It has to be embraced, so the sooner you understand the impact on your fiefdom, the better!