In my last blog, I wrote about the GDPR compliance projects sprouting up at most companies. We seem to have moved past confusion around whether GDPR will apply after Brexit (the Information Commissioners Office (ICO) has been very clear on this). I’ve even seen a surge in GDPR interest from the US, although at this stage I would say that is about where Europe was in 2016, so I would expect the subject to really gain traction there in 2018.
One common theme I’m seeing with customers is pragmatism. Having spent time digesting the information, and doing a high-level analysis of systems and processes, the conclusion seems to be: ‘there is no way we can be 100% compliant on 25 May 2018’.
Instead, companies are classifying systems and processes into three categories:
The third, and I would say also important category, are those systems and processes which are not believed to be affected by GDPR. Having a document that lists them, and lists the reasons why they were considered not to be in scope, might be very beneficial at some point in the future. Think of it as a time capsule that you may never open - but if you do it might be very gratefully received.
I guess this is maybe a good point for the standard disclaimer - I am not legally qualified, and none of the information I am providing should be considered legal advice. What I am able to do is share experiences, viewpoints and the challenges faced by different organisations we’re working with. That seems to be quite beneficial to people at this stage; when faced with something of this scale, it is nice to know others are in the same position.
This is very much true when your position is that you will not be finished by May 2018. I recently spoke at a conference where another speaker was covering the business process management aspect of GDPR. He reinforced the message that 100% compliance on day 1 is simply not feasible for many companies, and shared that most of the compliance projects his consultants are working on have May 2018 as a milestone, but not the end of the project by any means. I should highlight that he also isn’t qualified to give legal advice.
And I guess that’s the big underlying problem with GDPR: at the moment there is still so much uncertainty. Is it legally ok to plan to NOT be completely compliant by May 2018? Organisations haven’t been given that clear guidance yet from their own legal advisors, or by their local DPA (Data Protection Authority; in the UK this is the ICO, but this is different in each European country). So everyone continues on their journeys, looking closely to see what’s happening at other organisations.