GDPR has arrived!
2016 brought us approval.
2017 brought us implementation.
2018 brings us enforcement and a skateboarding analogy.
Are you ready? Or, are you risking it?
There’s a lot of talk about the potential impact of GDPR, the number of SARs (Subject Access Requests) a company will receive, what the organizational risk is and repercussions of the fines and penalties. What it really comes down to is the risk tolerance of you, your organization and your customers.
In my neighborhood, there’s a skate park I walk by nearly every day. As I watch the skaters dive into the bowl on their skateboards – which appear to be all shapes and sizes, I noticed something. The kids taking lessons (I live in Seattle… Yes, kids take skateboarding lessons) are wearing helmets, knee pads, elbow pads, long pants and shirts. When you look at the teen crowd, the helmets are gone, the dares and challenges are shouted out to do tricks and try something risky to be the coolest kid at the park. And, yes, there are adult skaters at the park too. Some are in helmets and pads and some are skating away, calmly, methodically and predictably with no protection at all.
It dawned on me…
Is GDPR just like everything else in our lives – a risk assessment based on our confidence and consideration of bad outcomes? It may just be.
If you want to make sure everything is covered prior to any “bad” outcome that could possibly happen with the upcoming compliance regulation, you want to be geared up head to toe with every single protection in place. Analyst firms such as Gartner are taking the same position regarding GDPR – as are publications such as Information Management.
"The GDPR will affect not only EU-based organizations, but many data controllers and processors outside the EU as well," said Bart Willemsen, research director at Gartner. "Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.” – Gartner
“On May 25, 2018, the General Data Protection Regulation will go into effect. To process personal [customer] data under GDPR, businesses will need to document their reasoning and show a legal basis as to why they require personal data. Penalties for failing to meet GDPR requirements could lead to fines of up to €20 million or 4 percent of the company’s global annual turnover for the previous year, whichever is greater. This level of financial penalty could have a serious impact on a company’s future, so you will see businesses scrambling to prepare.” – Information Management
If you haven’t already done so, it’s time you gear up now and protect against any potential risk GDPR could introduce to your organization. And, at a price tag of up to €20 million or 4% of annual revenue – no one would blame you.
In fact, “Gartner recommends organizations act now to ensure they are in compliance when the regulation goes into effect.” – Gartner
If your organization has landed on more of a wait and see approach, you may just be delaying the inevitable. Due to the complexity of managing all sources of personal data, you may still be in the risk analysis phase of understanding just what you would have to do to meet the requirements. You may be that adult skater in the part, going about your business day-to-day methodically and predictably. However, if you had a crystal ball or relied on Forrester’s predictions in their “Predications 2018: A Year of Reckoning” report, you would know that the report projects that 50% of companies not complying will do so willingly after weighing the cost and risk benefits of meeting GDPR standards. So, you may just end up wearing that protective gear – because who wants to explain their poor risk assessment after bad PR, steep fines and penalties have all occurred?
However, maybe all of us still have that inner teenager – yearning to take a risk and try new tricks (even when that risk involves traumatic brain injury). I’m not saying non-compliance of GDPR will lead to traumatic brain injury, but it could leave a significant mark.
The reality is, according to Forrester, “In 2018, data governance 2.0 will shine as it moves out of IT’s shadow to encompass the entire enterprise. CFOs, CMOs and all data stakeholders will be involved in data governance, not just traditional data stewards.” So, no matter what your organization’s risk tolerance is relative to GDPR’s recent go-live date of May 25, 2018… the data governance, personal data protection and data privacy conversation is already taking place.
It just might make sense to invest in some gear to protect not only yourself, but your entire organization.