Just a month to go until GDPR comes into force, so why are businesses still expecting a quick fix?
With exactly a month to go until GDPR comes into force, one law firm is still getting requests for help from approximately six businesses daily.
Robert Bond, Partner at Bristows LLP, told Computer Business Review at an executive roundtable that they are still receiving multiple daily calls from businesses hoping for a “quick fix” to becoming GDPR compliant.
“I think there are an awful lot of businesses out there, particularly in the US, which are still not prepared and have suddenly realised the nature of GDPR. This has come has quite a shock and they’re assuming becoming compliant is a ‘tick the box’ exercise, which of course it isn’t,” Bond said at the event in Central London on Monday 23.
The Information Commissioner’s Office (ICO) struck a conciliatory note however: “Regulators aren’t there to take people out of business, they just want businesses to realise the importance of data protection and privacy and to take care with actions of data sharing,” Richard Sisson, Senior Policy Officer at ICO, said.
He added: “We don’t expect May 25th to be the end, it’s an on-going thing and if businesses are doing the work and demonstrating working towards accountability then the ICO will take those things into consideration.”
The talk around GDPR has focused predominantly on how organisations are preparing ahead of the regulation’s implementation, but what hasn’t been discussed in depth is consumer perspectives.
Research from DMA revealed that trust (54 percent) and transparency (88 percent) are the biggest factors to consumers when sharing their data; 86 percent want more control and choice over what companies do with their data.
Mark Thompson, Global Privacy Advisory Lead at KPMG, added that readiness could be seen as a proxy for how much companies value their customers.
“How prepared organisations are demonstrates how companies value customer centricity; that they are actually taking on consumer opinions. GDPR is a long way from being a tick box exercise,” Thompson said.
He added: “I think the sector will differentiate the vulnerabilities. The big organisations in industries such as healthcare, banks or insurers were already under big compliance requirements before GDPR so it hasn’t been a revolution for them. The B2C and retail sectors I expect to see more vulnerable to GDPR, as well as a lot of panic across overseas and third part processors that have never had to comply and are now being caught out.”
One of the issues of GDPR and its implementation that were discussed during the roundtable was the education given around the regulation, to both businesses and consumers.
Across the panel there was a unanimous agreement that a learning curve to take away from GDPR is that when a regulation, as deeply involved as this, is introduced businesses should be educated around the topic as soon as the legislation comes out. That way, no one would fall short on meeting the requirements or gaining consumer trust.
“Data protection has been a thing organisations know about, but GDPR has brought it all to the forefront,” Sisson said. “We want to educate consumers about their rights and convey this message. Understanding what GDPR requires creates trusts, which is why consumers trust businesses that educate them first.”
The responsibility of ensuring a business is GDPR compliant does not stand to a singular department either, as some may think, but instead it must be covered across an entire organisation from HR to IT.
“Data protection is not a responsibility for the IT department alone. It should be a coordinated task for departments such as legal, marketing and HR in partnership with IT,” Nigel Hawthorn, Data Privacy Expert at McAfee, told Computer Business Review.
“Becoming GDPR compliant requires a combination of knowledge, processes, policies, technology and training, as well as detailed understanding of data flows to and from third parties and any cloud services you may have. All new systems must be designed from the ground up to take into account best practices for data minimization, so building in security and privacy is essential.”
GDPR is a month away – are you ready?