December was the last time I blogged about GDPR. I can’t believe it is 7 months. It isn’t because I got bored of GDPR and gave up talking about it, it was because between January and June, my feet didn’t touch the ground. There was a massive demand for GDPR advice. In June I took a bit of a well-earned break and when I return in July, I see the entire world seems to have forgotten about GDPR.
Remembering back to the Data Protection Professionals conference in April, Elizabeth Denham (Information Commissioner) gave a very insightful keynote speech: She said that May 25th 2018 was not the deadline for GDPR but the start of a new way of doing things. From what I’m seeing, it appears many are thinking the deadline has gone and there have been no big fines. What was all the fuss about? The fist fine to be levied since GDPR day has been £500,000 to the massively rich Facebook. So, what was this about massive fines of 4% of global turnover? It was all stuff and nonsense obviously!
Facebooks fine was indeed £500,000 but that was because the offence was made under the Data Protection Act 1998, not the new one. I’m sure treasury would have loved that particular fine to come under the new law. That would have probably dealt with the healthcare issues for a couple of years.
GDPR isn’t about the fines. It isn’t about what businesses have done up to 25th May 2018. It is about how they evolve over the next few years in the management and handling of personal data. This requires businesses to look at themselves holistically and change. Not change for the sake of change but change for the better. In my experience of helping several companies prepare for GDPR, much of that change has meant improving the way they do business.
Let’s look at few examples:
- Reducing costs of data storage. Many businesses have made real cash savings by reviewing their data retention policies and reducing the amount of data they hold.
- Improving communications. Some organisations had multiple data stores and a lack of document control across those stores. By implementing better storage techniques and document control processes they have reduced the number of incidents of poor or cross communication.
- Improving site security. GDPR means looking at your whole business. If someone can easily access your business premises and steal data, it is a GDPR issue. Some businesses through improving their site security have made the working environment for their staff a better and their sites easier to manage.
- Reviewing process has given some businesses the opportunity to revise outdated, complex and time-consuming processes into ones suitable for the way the they do business now. Saving money and making staff happier.
I have said this before: GDPR if looked at as a business enhancement exercise can return real benefit. On the flip side if looked as a compliance exercise it can be a total pain in the butt. That is because doing compliance creates work and it shouldn’t.
However, back to my main point. GDPR isn’t over. We need to be continuing the good we were doing before may. With August upon us, the silly season, when traditionally things go a little quiet, isn’t it a good time to have a think about what you need to? You can then action those plans when everyone is back fresh from their summer holidays.