With the very hot weather that’s been with us for a month or so we all expect to be hit with a huge thunderstorm very soon. Similarly, now that GDPR has been enforced for 2 months we are all waiting to hear who will be the first company to be hit with a heavy non-compliance fine or civil suit.
Dark clouds are on the horizon.
Over the past year or so we have conducted numerous data audits with organisations from various sectors. It is clear that some perceive data protection as a necessity and are happy to take whatever measures to reach compliance. These organisations are the ones that are used to documenting everything and being “accountable” in order to comply with, for example, Health and Safety audits, Government standards such as Ofsted or trade associations like the British Retail Consortium.
Others (no names mentioned) see GDPR as an unnecessary chore that is a cost to the business and a burden on their time. Many of these organisations have never taken data protection seriously and were not even compliant with the 1998 Act. Their Policies and Procedures are not documented and they certainly are not taking “appropriate technical and organisational measures” to process and protect data correctly. Rather than looking to improve their business they are looking for ways to cut corners to get around the law.
What the latter don’t seem to realise is that by either flouting the law or taking the “it doesn’t affect me” approach is that they will be in danger of losing business in the long run. We are already seeing larger companies asking their processors to sign updated Controller/Processor agreements and having to prove they are taking steps to reach a level of compliance. As Data Protection becomes more of a Boardroom agenda and organisations realise that they should only be dealing with 3rd parties who are adequately protecting data than those “head in the sand” organisations will realise they are losing out on contracts.
May 25th 2018 wasn’t the day that the Data Protection task was completed and signed off, it was the day that everyone realised that their data was valuable, that they had new rights as individuals and that businesses should begin to see it as an area for huge operational and organisational risk.
For those who disagree this is the lull before the storm.