Is GDPR getting under your Radar?

You probably noticed by now that the acronym GDPR is becoming more and more popular and you see it popping up here and there, is it on your LinkedIn news feed, on blogs you follow, mailing lists you subscribe, your contact's network or even in your engagements with customers, it's getting under your radar even if you aren’t paying much attention to it.

While talking to people from different businesses areas and organizations I realized that some are deeply engaged preparing for what's coming but there are still too many not doing enough or doing nothing at all. One of the common headlines that is most used around GDPR is the date of 25th of May or the fact that you have now less than one year to prepare. Headlines are great because they grab people's attention immediately, the downside is that they tend to confuse or pass a wrong idea.

So what is going in fact happen on the 25th of May and why do you have less than a year to prepare?

On the 25th of May 2018 the General Data Protection Regulation (GDPR) will become fully enforceable throughout the European Union but this is not a regulation bomb that will be dropped at your desk on that day, the GDPR was initially proposed on January 2012 and finally adopted on April 2016 by the European Parliament, so I know what you are thinking, this is actually not that new. This takes me straight to the next question that I commonly hear.

"What about a grace period, I need time to understand what this is all about and become compliant"

Well, the answer to that is, yes, there is a grace period and you are enjoying it right now, even better, you still have eleven months left, if you search the web you will find some nice counters that will give you the exact time left. At this stage the bells and whistles on your head got triggered and that balloon that pops out and says "Maybe I need to do something about this" is already visible. This is good because calls out urgency to action and someone starts doing something or at least gets interested in finding out more. So let's take a deep dive and bring some context to the surface.

GDPR is the new data protection regulation that applies to all European citizens across 28 member states, for those who don’t know who the members states are, please have a look here and no, please don't expect jokes about the UK at this stage.

Any company that stores or processes personal data from any member of the EU will have to comply with the requirements of the regulation. This demystifies the idea that some people have that this regulation is something that only affects the big "tech" giants, this is wrong, actually this couldn't be more wrong, size doesn’t matter here, whether you are big or small you will have to comply.

Aside the 28 EU member states there's also what's called a countries white-list, the countries on this list have data protection laws that are fully compliant with GDPR. The white-list at the moment contemplates two groups, on the first group are the countries that are part of the European Economic Area (EEA), Norway, Liechtenstein and Iceland, on the second group we have the following countries:

•   Andorra
• Argentina
• Canada
• Faeroe Islands
• Guernsey
• Israel
• Isle of Man
• Jersey
• New Zealand
• Switzerland
• Uruguay
• USA

 What about countries like, Japan, South Africa, Australia or India?

Those countries aren’t part of the list, which doesn’t mean they can't be added later or that they can't store or process EU citizens personal data but there are some concerns that need to be addressed. Over the last 10 years several European companies outsourced their IT to countries like India so now it’s time for those companies to look at their contracts and ensure they stipulate the same rights and responsibilities for EU citizens stated in GDPR.

This takes me to another topic, the fact that it isn't enough to just look inside of your company, sort out policies, procedures and technology to become fully compliant. Your responsibilities go beyond that, as a company you need to understand your data touchpoints, what data comes in and out, who sends you data and to whom you send data and make sure that the contracts you have in place with those organizations are revised by experts on the matter to give you the assurance that you are doing the right thing.

 So, is GDPR something good or bad?

I personally think that is good, is the right thing to do and it was something needed.The world has changed too much in the last few years, internet, e-commerce, social media, mobile devices, etc. where things that didn't exist 2 or 3 decades ago and are now part of our daily lives. Your data, your personal and sensitive data tells a lot about you, is part of you, and if you like to be protected, if you like your rights preserved, if you like prosecution to happen when those rights are violated, why should your personal data be treated differently. When someone asks you for something personal, you want to know what that person will do with your belonging, how they plan to use it, how long they are going to keep it, with whom are they going to share it, etc. GDPR brings all of that to the table in regards to people personal data and much more, it forces companies to "undress" all those terms and conditions into simple text that everyone can understand, so you will know exactly why the company needs your data, how they are going to use, whom they are going to share it, etc.

I know that this all looks very compelling to citizens and not so to companies, to companies this just seems like a huge legal burden to take on board. To that I will say that this is obviously a big change going down the track, it will require time, dedication and investment but let's not forget that data is considered the new oil, the new currency, so any work or investment in this area might become fruitful very quickly.

One important thing to notice is that having a single legislation across 28 countries can save you time and money in the future. Avoiding having to go through all the tiny little details of country specific legislation with solicitors and law firms when you are doing business can save you time and money.

Also relevant is the fact that companies tend to capture all data they can when you engage them or they engage you, it doesn’t matter the purpose of the engagement or the fact that they might not need that information at all, it matters that they now have a lot information about you, your family, your house, your dog and that might be useful in the future. The problem is that storing, managing and maintaining data costs money and data by itself doesn't represent real value, it’s the information you extract from it that makes it valuable, so if that's the case, more relevant data will give you more relevant information so you will be actually spending less and extracting more.

As an example, why do you need to hold specific information about someone's car if you can get all that information with just the vehicle registration number, holding that information give you some type of advantage, costs you less than getting it from someone else that is dedicated to that purposes. It's this type of thinking exercise that will reduce your exposure, reduce your costs, increase the value of information and on the long term distinguish you from the competition, as someone said, "with change comes opportunity".

On a Final note it's important to retain that GDPR isn't something that will simply go away, it came to stay, ignoring it will get you into trouble and expose your company to things like huge fines or brand damage. If you haven't done so now it's time to start acting, what you need to do, where you should start and what's involved that's matter for another article, so stay tuned.