Today marks one year to go until the GDPR comes into full force. We’re seeing companies at various stages of preparation, and given the amount of work ahead, it seems unlikely all companies will be fully compliant one year from today. Estimates vary, but one report found that 75 percent of businesses will struggle to be compliant in time whilst another said 25 percent won’t meet the deadline. Regardless of the exact figure, organisations look to prioritise their efforts.
So what can companies be doing now? We recommend following these five stages:
- Understanding the GDPR. This is the initial education stage where companies learn what the GDPR means.
- Data and processing audit. Here organisations are finding out what data they have and what they, or third parties, do with that data.
- Gap analysis. This projects what the organisation will look like when compliant, and compares to where they are now, identifying what work needs to be done.
- Planning and procurement. Here the work to be done is prioritised, planned and resourced, bringing in new tools and expertise as and when required.
These phases don’t always follow one another, often they’ll overlap, as different areas within an organisation move at different speeds.
Whilst organisations should plan to be ready for full enforcement to begin on the 25th May 2018, supervisory authorities only have limited resources and will likely initially focus their enforcement efforts where they will have the biggest impact on citizens. Some of these priorities will be the same across the EU, others will vary. In the UK, the ICO has repeatedly made it clear, by their previous enforcement actions, the guidance they’ve chosen to prioritise, and their public statements, the areas they believe are the most important. As the ICO’s Steve Wood said recently, issues such as consent will be front and centre. As will principles such as accountability. So whilst the first objective should be to find a way to ensure full compliance by the deadline, it could be wise to prioritise areas of particular interest to the supervisory authorities in the countries an organisation operates in. Then if work continues after the deadline, it won’t be on the most sensitive areas.
Given that so many organisations are under pressure to meet the deadline, it may seem odd to add more to the to do list. However, this assessment and planning period can offer unique opportunities for organisations to think about what they could do with their data now, and in the future, and build in new processes and infrastructure in a way which embraces these possibilities. For instance, compliance preparations are expected to require a full audit of the data estate and improvements in data quality to ensure data about individuals is accurate and locatable. These are needed for data protection, but are also extremely useful steps to pave the way for greater use of that data, to link data sets and apply big data analytics tools for example.
When looking to minimise privacy risk and achieve GDPR compliance, whilst preserving data utility and value, it is worth exploring how privacy engineering technologies and tools can help. Privitar is able to support GDPR compliance through:
- Providing the tools to deliver on the fundamentals of privacy by design (PbD)
- Direct compliance through pseudonymisation and anonymisation
- Protection in the event of a privacy breach
- Removing barriers to processing
To find out more about our solutions, and how they help with the GDPR, download our whitepaper.