GDPR – the real compliance deal or a load of old guff? Does it look different now?

Back in May 2017, TCF’s article ‘GDPR – hype or reality – a compliance revolution for data protection’ looked at the main features of GDPR and asked if GDPR is a real issue for organisations when approximately 50% of the organisations we were talking to were saying the hype was out of proportion.

We thought we’d take another look and ask ourselves, what’s changed?

Our main conclusion in May was that for those firms who were already taking data protection seriously the GDPR would be an evolution. But that GDPR would be a compliance revolution for those firms for whom personal data management had traditionally been a bit of a tick box exercise for legal requirements. For those organisations, GDPR would require a level of governance, monitoring, reporting and operational process excellence which data protection activity has never had before – and most importnatly for these organisations, these elements would need to be evidenced and integrated into the organisation’s culture.

We therefore saw this not just as a small something extra for many organisations to do but a real challenge. It would also provide an opportunity for the personal data industry, much of which has been mainly aligned with Legal or Tech, to integrate with the mainstream compliance, risk management and governance functions – “a good place to start, if nothing else, would be to go talk to your risk or compliance opposite number, if you have one.”

So what’s changed since then? For one thing, there’s been an explosion of people offering GDPR support. A bit rich you might think coming from a consultancy like TCF. Except that individually and collectively TCF and its associates have been working on data issues, breaches and operations for years. Our focus on GDPR and data has been born out of the practical challenges that our clients and contacts have been grappling with. Not out of spotting out a new issue to sell stuff on.

We still, as we saw in May, see a lot of people asking where on earth they are supposed to start. We still see many questioning whether GDPR isn’t just a load of hype. What we see more of are people who, for various reasons, but often budget driven, want to have a crack at it in house rather than calling on support.

Taken together this makes it all the more important to first of all be real about your level of data protection compliance now, your preparedness for GDPR and your risk. Then, to break down what you’ll need to do and work out where you might need help – which could be as simple as doing a double check on what you have done in house.

If you are going to seek help then do so wisely and look to find someone who is capable not just of transmitting GDPR requirements (which you could read up for yourself and the ICO’s website is a terrific source of materials which has filled in a lot of gaps since May) but also who can help you figure out what you are going to do about them so you translate all this into business as usual.

So think through what you need and who can provide it. Sticking ‘GDPR services’ into the search engine probably isn’t going to do the trick by itself. Nor is thinking about ‘being compliant’ which is a term we find so wrong we will write about this separately.

A second change is that, fuelled by the onset of GDPR and an increased level of media focus, it feels like there is a much greater surfacing of data breaches, Equifax and Uber being just two of them. And they are huge. But not, by and large fuelling the extent of public anger that in many ways we would expect. They do, however, in TCF’s view reinforce the rightful expectations and increasing cynicism of data subjects – or people as we like to call them – about how our data is treated and how it’s valued by the people who have it (who are sometimes not the people we gave it to).

This we hope will lead to a new debate and one which is long overdue. That is, the importance of maintaining customer and public confidence and its impact on reputation and the bottom line. The High Court has just upheld a (class action) claim against Morrisons by thousands of victims, who happened to be mainly employees, of a data breach carried out by another (disgruntled) employee with Morrisons held vicariously liable as the instigator’s employer.

This may give many employers pause for thought. And give potential and actual victims of data breaches real encouragement to hit businesses and organisations where it matters – in court and in the pocket.

So we feel our view in May this year is still broadly about right. The sky isn’t going to fall in. Fines are not the be all and end all, but the chances of being found out and paying the price are increasing.

The key we see is still the same. GDPR reinforces what should always have been the case. Effective management and protection of personal data depends on good operational compliance, risk management, governance and ultimately culture. By and large, the personal data ecosystem is having to step up on this.

As time has moved on, what is increasing is the pressing need to be real about where you are and what you need and to choose who can help you wisely. And to think about data subjects as what they really are – people – without which your culture can never really take personal data seriously which is what this is all really about.

December 2017