Box ticking exercise or shift in mindset?
As we get nearer to the GDPR deadline of May 25th its time to really look into your approach to GDPR.
A lot of Companies are approaching GDPR as a box-ticking exercise, this demonstrates a fundamental failure to grasp the basics of the GDPR. To successfully implement GDPR and gain the benefits for your Company, a mind-shift on how you deal with personal data is required. This needs to be a Top-down exercise as bottom-up won’t work.
Benefits for Companys
The benefits to the Company will include;
- a streamlining of their processes.
- a culling of dead weight from their current data systems.
- avoidance of fines.
- Avoidance of Reputational damage.
With a more comprehensive view of data currently held there is a huge spectrum of opportunities that can be explored and your business will be in a better place to take advantage of these insights.
So not only can you benefit from savings and efficiencies but you will be in a position to identify new opportunities and expand your business.
Avoid fines and reputational damage.
Avoiding the potentially huge fines of 20 million or 4% of global turnover – whichever is higher for non-compliance, and fines of 10 million or 2% of global turnover for data breaches is, of course, its own driver. The potential loss to your reputation is incalculable.
For larger companies with continual projects on the go, GDPR is a chance to centralize and cut down on duplication of efforts across teams. By following DPIA (data privacy impact assessments) you will have a clearer overview of what is being developed and where duplication is occurring. It can promote communication across teams within your organization.
Check your Subject Access Request Process.
At this stage CEO’s and Boards should be questioning those charged with the implementation, and should be actively engaged in ensuring that their processes are fit for purpose. I would challenge CEO’s to make a subject access request about themselves to their own company as soon as possible so that they can properly evaluate their processes.
In terms of preparation, you should consider business priorities for security and compliance requirements, and have a strong line of communication with the teams responsible.
Prepare for Fraud
There is an expectation that there will be a raft of fraudulent claims for access requests, make sure that your process for identifying the requestor is valid. You should also put in place a team that will be dedicated to that early period when the regulations become law.
So to sum up, GDPR requires a mind shift in how you handle personal data, can help your business become more efficient and helps you to avoid huge fines and loss of reputation. Always check that what is stated as delivered is actually delivered and fit for purpose.