We are told that the secret to success in any field is preparation, a belief so well shared it is even accompanied by a renowned and expletive warning verse known as the seven Ps. It’s joyfully recited to anyone who fails to heed to such common advice by those who presumably have learned from their own mistakes.
As a result, it is not so curious that the question of GDPR preparation over the past two years has gradually changed from how to prepare to the question of whether it is too late.
All Aboard the Final GDPR Service
The GDPR (General Data Protection Regulation) has been a confusing journey for some, particularly in the UK. The unfortunate overlap of the Brexit referendum and squabble has put doubt into people’s mind about its applicability. In addition, this has been paired with a general scepticism about the GDPR and what it will tangibly result in. The over exhaustive GDPR sales pitch has effectively tuned some people out of all messaging entirely.
However, with just eight months to go and the UK decidedly resolute in its path toward GDPR implementation via its own Data Protection Bill, there will be some who only now decide to board the train to GDPR compliance.
Is It Too Late?
Well, not necessarily.
It’s a tough question to answer in a general fashion. It relates strongly to a number of different factors, such as:
- The organisation’s current adherence levels to the DPD (Data Protection Directive) 1995.
- Its level of exposure to the GDPR.
- Its size of organisation and customer base.
- Its current maturity in information security.
- How flexible the organisation is to changing some of its existing practices.
For most, the biggest prohibitor will be their ability to enact in some cases rather radical changes to their business models in a short time-frame. Take, for example, the creation and implementation of workflows for data subjects rights, such as the right to be forgotten. Employees need to be trained to spot these requests and forward them into the correct channels for processing within the mandated 30-day period; the organisation needs to be ready to both process and demonstrate they can process this right effectively if questioned by the supervisory authority.
Those that represent larger, more cumbersome organisations that are terrified by the previous section might begin to consider the idea of conceding defeat. There is much to achieve in eight months without weighing up the costs of the Christmas season and the end of the financial year reducing the window of change and effective staffing levels. Could it be that some organisations will have to plan for immediate non-compliance come May 2018?
Although the pessimistic lure of defeatism is strong at this stage, maybe it’s not such a worry after all. We are constantly reminded that the GDPR is yet to be tested in the courts, that Europe’s supervisory authorities are not sufficiently prepared to police the GDPR, and that much like the DPD 1995 the articles of the GDPR will be upheld mostly in spirit or when actually required.
Streamlining Your Preparations
As a GDPR practitioner and consultant, I would never advise any of my clients to take the previously stated assumptions as reasons to delay GDPR readiness changes or ignore the gravity of non-compliance. Instead my recommendations would be to streamline your preparations so that you can tackle areas which pose the highest risk to penalties.
Consider the following steps:
- Speak to a professional – there is much lauding of anyone who marks themselves as qualified or a leader in the field of the GDPR due it being new and untested. Quite frankly, this is divisive nonsense, and although I may be biased, the opinion of someone who has dedicated time in understanding and becoming qualified in a topic should have their advice valued.
- Get everyone on board – The GDPR is a team effort and requires both the buy-in of senior management and the acceptance of users that their working practices may have to change. Change is resisted by nature of humanity where there is a lack of understanding as to why change has to take place. You are going to need as many friends as possible when it comes to the GDPR.
- Get real – With eight months to go, there is a very good chance you cannot tackle everything. Your board and senior management needs to be aware of this and must understand the risk associated.
- Assess for gaps – There are a number of services that offer GDPR based gap assessments available through physical engagement and sometimes online. Using these services will give you a great understanding of how you currently comply and where you fall short. This activity will allow you to aim your focus on critical areas of exposure.
Prepared for Unpreparedness
If the final stage of anything is acceptance, then so it must be that you may not be entirely ready for the GDPR come May 2018. Rest assured that you will not be the only one, and you’ll most likely not be the one in the worst of positions. The GDPR, despite coming with a two-year warning sign, is the biggest shake-up of data protection law for a generation and is challenging the business methods of entire industries, some which have not witnessed any change for decades.
Small organisations with no grasp of information security, family businesses who are uninformed, and those who do not believe that the regulation has relevance to them all stand to be surprised in eight months’ time.
I am often asked, is it too late? My answer is always the same: sometimes too late is just in time.
About the Author: Chris Payne started his career working in telecoms and network infrastructure, moving into the security industry out of an interest in the topic. Working in the IT security channel market as a technical consultant for many years, Chris has worked with some of the largest security vendors, distributors, resellers and customers. He has written and contributed to numerous whitepapers, blogs and publications; hosted and presented at events in both the UK, Denmark and Norway and been filmed for the Business Reporters online edition. In recent years, Chris has specialised in information security becoming certified as a GDPR practitioner under the IT Governance IBITGQ programme and founding IT security solutions and consultancy provider Advanced Cyber Solutions Ltd. You can follow Chris on LinkedIn and Twitter.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.