A recent IDC survey indicated that the General Data Protection Regulation (GDPR) is confusing, but why is this? At just under 90 pages long, the regulations aren’t that large; the document is certainly no “War and Peace.” However, it still seems to be posing huge challenges for organisations of all sizes. A few specific factors are perpetuating this confusion as the deadline for compliance continues to draw closer.
It puts you outside your comfort zone
The likelihood is that GDPR will impact every part of your organisation; it cuts across many different disciplines and departments. The core requirements of the GDPR is added to significantly by additional materials that provide definitions and clarification to the regulations. Unless the programme lead for the GDPR is a Compliance Officer, and even then, it is likely to stretch someone who is dedicated to this position, that person is unlikely to have enough knowledge to understand the impact it will have on the processes of every department, much less the full extent of the business and technical challenges it poses.
‘I’m not a lawyer’
If you don’t have in-house legal counsel playing a lead role in your GDPR programme, it is vitally important that you facilitate access to legal help, especially if your organisation has more than 250 employees, or processes the data of children. Even if you enlist help, translating that into everyday business processes can still be tricky. For example, more and more businesses use automated decision making and customer profiling. The rules for this have been tightened significantly. Un-picking the actual logic or AI that you use and applying the regulations to it may not be easy, or it may add constraints that mean more human intervention.
GDPR is sometimes vague
Instructions that are clear and concise are always helpful. While many parts of the GDPR are indeed clear, the regulations also use non-specific terms such as ‘reasonable,’ ‘adequate’ or ‘large.’ This means you have to take a view on just how much action to take to mitigate risk. The ‘Right To Be Forgotten’ request is a good example. After a request, should you delete a subject’s data from backups too? Or is embedding a process to re-delete after a recovery good enough? Should you eradicate tape as your long-term storage media? The definition of reasonable is yours choose.
GDPR doesn’t take current technology into account
Data proliferation has a way of dispersing personal data to every corner of your IT systems (including cloud and SaaS), regardless of any rules you put in place for employees to follow. Finding and profiling this data to assess your risk is tricky, let alone deleting it if required. Additionally, profiling can’t be a one-off event and should be an ongoing process. Old ways of managing consent, storing and processing data will have to change because of the GDPR, whether your systems and applications are ready or not.
It defines a new role: director of business prevention
Of course, the GDPR doesn’t really do this. However, the GDPR does say you must employ the services of a Data Protection Officer if you process a ‘large’ amount of data or are a public body. This individual carries the responsibility for privacy in your organisation, is your interface with the regulator, and must be free of conflicts of interest from those who have a vested interest in processing personal data. You can be sure they will say ‘no’ pretty often.
Neutralise the confusion
The GDPR outlines 51 different ways that regulators can enforce fines, and you can also be suspended or banned from processing personal data, so it’s important to neutralise the confusion and resulting inaction. If you haven’t started yet, begin now and get your board to sanction the resources for GDPR compliance. Make sure you get a representative from every department involved and ensure you run a Data Protection Impact Assessment (DPIA).
This IDC survey isn’t alone in providing feedback from organisations that are confused and unprepared for GDPR. When looked at as a whole, it is completely understandable that many will feel overwhelmed, but with some help and planning, you can begin to prepare your organisation ready for the upcoming May 2018 start date.
By Nigel Tozer, Solutions Marketing Director of EMEA at Commvault
Photo Credit: K2 Space
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.