With less than a month before it eventually rolls out across the EU, the GDPR is still treated by many businesses as a complicated piece of legislation triggering serious debate between professionals and regulators and incurring heavy compliance burden for large organizations. However, the GDPR implementation date, i.e. 25 May 2018,should be looked at more as a starting line rather than a hard deadline, providing organizations with the opportunity to map – throughout their search of identifying any personal data processing – both their entire corporate life and their day-to-day operations.
The initial key for any organization to start any compliance process should be raising internal awareness, by means of requesting from experts and team leaders from across the organization to join forces and decide on the best GDPR compliance and implementation practices, counting in the actual needs and weaknesses of the business. It is crucial for the organization to invite on board all internal stakeholders, from customer support service, to human resources staff, up to the strategic intelligence unit, in order to jointly identify optimized implementation practices, set new standards and gradually structure the business ecosystem upon which all actions and initiatives will be deployed.
An additional fundamental exercise that any large organization should attempt prior to undergoing a comprehensive data audit should be to design an effective budget planning for the project. The organization should be convinced to commit valuable resources into the project in terms of time, manpower and money, assessing its size and market exposure, the rough amount of personal data processed as part of its core business and the extent of its interaction with third-parties and/or non-EU countries.
The compliance project has commenced as soon as the organization has received from its trusted privacy advisor a gap analysis assessment, namely a report setting out all elements identified during the assessment of the current status of the organization which are not compatible with the requirements of the GDPR. When it comes to the gap analysis assessment, organizations may opt between either a quick, tick-box, assessment, leading to a high-level implementation plan or a quality assessment, including amore thorough examination of all frameworks, organizational aspects, strategies and management practices that will produce a detailed data mapping portraying in full deployment the processes and flow of personal data within the organization. In any case, the assessment approach shall definitely depend upon the maturity level of the organization, the existence of written policies and the actual implementation thereof.
The GDPR demands a radical shift in the corporate structure and mentality of the organization, turning the respective compliance process extremely intrusive to the day-to-day life of businesses. It is this highly intrusive nature of the GDPR compliance procedure that makes organizations’ leadership reluctant to undertake compliance efforts and cooperate efficiently with their privacy advisors, especially when their compliance scheme entails interviews. In particular, when interviewed on their organizations’ operations, data processing and flow, as well as on their daily activities, most of the times executives develop a defense response mechanism similar to the one used by people under interrogation, often invoking common avoidance excuses that will hopefully disengage them from the interview process.
However, as reality sets in, the GDPR looks more like an opportunity for businesses rather than a crisis point. The GDPR compliance process is a win-win situation for organizations as it provides them with the opportunity to create business value, improve their operational structure and eventually gain competitive advantage. GDPR-compliant organizations will immediately get ahead of their industry competitors by attracting clients who value their data and wish to trust them to an organization sharing the same principles.
In full awareness that reaching maturity levels may be a long-lasting process, organizations should secure that their GDPR compliance is sustainable; such sustainability may be achieved at all times through ongoing monitoring and assessment of the organization’s policies and operations, permanent training of the staff and development of all such technical and operational measures that will ensure that the organization will always be in a position to demonstrate readiness and accountability.
Partner, Head of IP SE Europe