Let’s face it; with a month left until the implementation date, by now every organisation should have completed their GDPR preparations.
For those that have yet to enact their GDPR readiness plan, the main motivation is probably the fear of large fines, which are being widely reported by ‘experts’ and the media.
But there is a far more ‘real world’ reason, aside from fines, which should be high on the agenda of every organisation…
One of the important steps towards GDPR readiness is to map out an organisation’s data, and data flow, as part of an information audit.
This audit will identify the data a company holds, details of the source and what happens to it downstream. It is the downstream element that we will look at in more detail.
The information audit challenges each organisation to obtain assurances in the form of contracts and privacy statements, from each of its data processors (those organisations who are downstream of the data controller and who process data on their behalf).
Data controllers and data processors have a symbiotic relationship, which moving forward, will need to be documented for GDPR purposes. Each party will need to have clear records of data protection preparations and policies.
Hopefully, by now, you will have started to get an idea of why this is an issue for those businesses who are not ready for GDPR…
Picture the scenario; one of your key trading partners (an organisation with whom you share client’s personal data or they share it with you), contacts you to obtain details of your data protection preparations as part of their information audit. You have to tell them, probably fairly sheepishly, that you don’t yet have the information to hand. You probably scrabble around to produce a half-baked document to fulfil the basic requirements and not lose any business. In reality, what you are doing is delivering a lasting document which sets out your data protection relationship with a controller/processor.
Here is a different scenario; your organisation is keen to respond to a commercial enquiry, enter into an agreement or apply for a tender. Halfway through the process, you are asked to supply a copy of your privacy statement and data protection measures. As you don’t have them, the whole process grinds to a halt.
Yet another scenario; as the owner of a business, you will one day wish to sell or transfer ownership. The process will involve extensive due diligence checks, during which it comes to light that all of the data you hold and use was collected and processed under non-GDPR compliant procedures. Suddenly, a core component of your business is no longer functional or valuable.
Organisations will get fined and fines will be proportionate to the level of wrongdoing, but please do not focus on the avoidance of fines as your main motivating factor.
As motivating factors go, the potential cost of lost business should be high on the agenda. Collectively, organisations that lose out on business by not being GDPR ready may have a far bigger price to pay...