22 August 2017
In this guest CIO blog, Gavin Whatrup shares new learnings from a recent Northdoor GDPR Round Table event run by Sales Filter
As the clock ticks down to May 2018, the General Data Protection Regulation (GDPR) looms large in the minds of many company executives. Many of us are discovering that GDPR presents a huge test not just of our company’s resources, but of our flexibility and capacity for strategic thinking.
It’s always a valuable experience meeting with peers facing the same challenges, and hearing how they are approaching GDPR projects. I attended a recent roundtable event run by Northdoor, and it’s obvious that the level of preparedness is variable.
Understanding of the presence of GDPR is high, but not so of how to achieve or head towards compliance – some businesses are yet to get projects underway, despite the risk of fines and reputational damage in the event of non-compliance. Thinking back to the Y2K challenge, I remember board-level understanding being significantly greater than it is for GDPR.
Even among companies from regulated industries such as finance, whom I expected to have a strong grasp of data security, GDPR legislation is causing confusion. For companies from, say, the retail sector, with less experience in data security, the learning curve may be even steeper.
The legislation lays out the rules but not a strict set of instructions how to comply with them. Encryption is a good example. GDPR does not mandate the use of encryption but rather that personal data be made unreadable. The use of encryption is cited as an example of how to achieve this – but is only mentioned four times in the entire Regulation.
Plenty of people are unsure of how all this differs from the old Data Protection Act, whether GDPR replaces or augments the DPA, and how it will co-exist with other related legislation.
This roundtable was able to clear some of the regulatory fog and show that GDPR is not necessarily a bear to be wrestled with, as long as it is addressed now.
So what’s the best way to approach GDPR compliance? Some execs I spoke to were looking for technology solutions. For sure there are tools out there that may help, we were told, but this is predominantly an organisational and audit issue. Find out where your data is, grade it, and treat it accordingly – it is not a task to punt towards IT.
What is clear, though, is that companies trying to do it all by themselves would run into difficulties. With less than 300 days left to 25th May 2018, when the Regulation comes into force, we’re going to need some good advice to do this properly.
Get a set of measures in place, even if they deliver after the compliance date, and you’ll be well on your way to a favourable GDPR audit. If you prioritise by risk and document the process to demonstrate commitment to GDPR, you can lay the foundations for staying compliant.
About the author
Gavin Whatrup started out helping people do innovative things with data. Nearly 30 years later, he’s now helping organisations in the protection of that data through designing and implementing data governance programs and helping in the design and implementation of ISO27001 audits and renewals.
About Sales Filter runs “CxO only” round tables, innovation forums and events where guests can enjoy informal peer level discussions under the Chatham House rule with no sales pitches or nonsense. Discussions are always lively, honest and open.
Kick-start your journey to GDPR
To find out how Northdoor can help you achieve GDPR compliance faster and more effectively, please contact us for an informal assessment. We’ll review your existing approaches to data protection and security, and provide a clear checklist of recommended next actions, helping you get started quickly.