Doesn’t time fly? After what felt like years of build-up and widespread media coverage, we’re ending 2018 having experienced one of the biggest changes to data privacy in recent years, with the passing of the EU General Data Protection Regulation (GDPR) on 25 May.
For some, nothing much will have changed, while others have had a much larger job on their hands. Just a few months before the implementation date, a survey of C-level executives reported that less than half had updated their business’ contracts and data protection policies. A stunning 22% reported “none of the above” to the survey questions, suggesting they were undertaking no preparedness measures.
What would those executives report today? We were all already used to cookie consent notifications on websites, thanks to the earlier Privacy and Electronic Communications Regulations (PECR) legislation, but anybody who visits websites today has surely noticed how these have switched to a consent-based approach, in order to comply with the GDPR. We’ve also all received a flood of emails detailing new privacy policies, which can be viewed as another measure of GDPR compliance.
This isn’t to say that everyone has got on board with GDPR. A large number of websites still haven’t adjusted their cookie notifications, while there are plenty of businesses that have not yet reacquired any necessary consent for marketing, or updated their data-handling policies.
In general, the positive news is that there are signs of businesses taking their legal and moral commitment to data protection more seriously than before. For example, in the latter half of 2018, British Airways suffered a breach that allegedly affected 380,000 of its customers. Part of the compensation offered to those affected was a year of identity theft protection.
Crossing the compliance threshold
So, as the year draws to a close, what can your business do right now if you fear – or categorically know – that your data protection preparations do not meet requirements? After speaking to several people directly involved in GDPR compliance, it’s clear that businesses have had a variety of responses to the regulations – from a head-in-the-sand approach, to a fully proactive, root-to-branch evaluation of all business functions.
Of those two choices it’s obvious which is the most effective, but a point to remember is that the workload attached to GDPR preparedness can seem overwhelming, even for the largest organisations that should be able to spare the resources without a second thought.
If you’re just starting your GDPR journey, then let this thought guide you as we enter the new year: in achieving compliance you’re simply adopting one more administrative process that’s a fact of life every day for most European business. Aim to incorporate it not just into your practices and processes, but into the very culture that underlies everything you do. This will make it feel significantly less onerous and more achievable.
It’s also worth remembering that the GDPR wasn’t and has never been a threshold that, once crossed, can be ticked-off a to-do list and forgotten about. For all businesses, implementing the GDPR has to be a continual process. Procedures need to be monitored and periodically reviewed for compliance, regardless of the type or size of your organisation – throughout 2019 and beyond.
Put simply, it’s never too late to start – and never the wrong moment to consider how data protection is handled within your business.
By Adam Prince, Head of Compliance, Sage
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/