Will You be Ready for GDPR?

Fast forward to the 25th May and as the CIO of a major information technology user you get a call from your Chief Executive informing you that the Information Commissioner’s Office have been on the phone. The ICO have advised that you, XYZ Limited, a major multinational trading on 6 of the 7 continents of the globe have been “randomly” selected for a compliance review under The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

Data Processor

Being reasonable people, they will start the review in the first week in June.

As CIO you are already wrestling with a plethora of technology led advances aimed at lowering costs, improving supply chain efficiency, gaining greater security by moving to the cloud, more secure networks, interpreting dig data, improving customer service and hence customer loyalty.  Did I forget the internet of things, artificial intelligence and winning the talent war?

Whilst you acknowledge that your organisation had two years to prepare for GDPR the reality is that when you took up your appointment a year ago in common with many others the planning and implementation moves towards GDPR had been negligible.

You recall forming a sub-committee under the leadership of an old school IT professional who retired at the end of 2017 and then………………….

Perhaps a far-fetched example but other commentators feel that only about 5% of EU businesses are prepared for GDPR and a lesser number of second tier major multinationals will arrive at the May deadline with no GDPR preparations in place.

A last-minute scramble is under way as major players look to find competent Data Protection Officers and pay levels have escalated from £50.000 to well into 6 figures and the amusing thing is nobody is sure what GDPR will bring but the neck of the CIO is on the line.

So, what next, other than an emergency trip to the toilet? Your CEO has called an emergency board meeting for 48 hours’ time as the ICO mentioned the level of fines as the higher of Euros 20 million or 4% of global turnover.

The CEO believes in KISS as he went to business school in the 1970’s and has a list of questions

  • What personal data are we processing in relation to our people (past, present and future), and why?
  • Will you rely on ‘necessity’ or ‘consent’ or both to process personal data? Please explain the difference in layman terms
  • How do we keep data secure and what will “occur” in the event of a security breach?
  • How long will we need to retain data?
  • Do we have to worry about the historic personnel files in the filing cabinets and warehouses which nobody opens anymore?
  • How easily and quickly can you remove data from our systems?
  • How will GDPR impact on our offshore and cross border data processing?
  • How will we demonstrate compliance with data protection principles if challenged by the Regulator? What in house compliance checks have been run?

I expect you and the DPO to present to the board. As I’ve never met the DPO please introduce him to me in the next 24 hours.

What documents have been created/updated, because of GDPR? Board papers are needed by 5pm tomorrow

Good luck with the meeting.

Hopefully this won’t be you, but it could be. We simply don’t know. At Skills Provision we appointed our DPO in 2017 and he has been hard at work and the necessary external changes are becoming evident. Just as important is the change of mindset from the CEO to the administrators responsible for data processing.

GDPR is a game changer, you ignore it at your financial peril. If you work smart it will force your business to embrace better business procedures as let’s face it very few if any organisations have had control of the in-house data accumulated since the days of pen and paper, let alone digital.