LONDON, 17 November 2017 – You can expect to hear this acronym with increasing frequency and fervour over the next seven months. GDPR is more far-reaching and has more significant people and organisation implications that most will expect.
To find out more about “What is GDPR?” see below.
As a result GDPR also has organisational change implications. We want to help you address those.
- Is your organisation fully aware of GDPR? Yes ___ No ___
‘No’ – The time has come to do this. The discussion in the business should be broad enough that teams should be able to identify potential issues in their part of the organisation. Start the conversation now. Start at the top and work down. If you’re not sure how, ask. Don’t let it slip.
‘Yes’ – That is good. Now you need to be sure that awareness is turned to action. The business should have a plan and a ‘change plan’ too – to ensure people know what they need to know, how to act on it and what the implications might be. Then test that knowledge by asking pointed but simple questions. For example, do we have systems in place to verify the ages of people who are giving permission for their data to be held? Is this on our Risk Register with clear actions and owners?
- Do people in your organisation know what to do about GDPR? Yes ___ No ___
‘No’ – If you do not have widespread agreement on a plan, then you do not have a plan. The change will not happen. That has been our experience with organisational change. Particularly when people in the business need to perform or behave differently as a result. This is an issue that must be addressed quickly and effectively.
‘Yes’ – If you have set this up as a real and urgent corporate issue then you have made a good start. There will be some areas where no change is required, particularly if you are compliant with the Data Protection Act already. But there will be new things to do, and areas where things have to be done differently. Do you know all the different ways in which GDPR will affect you? These may include mailing lists, marketing plans, employee data, recruitment data, sales tracking, contracts, supplier agreements, etc. etc.
- Do your leaders know which parts of GDPR affect the business and where? Yes ___ No ___
‘No’ – If it is still good intentions or has been delegated away from leaders in the business then you will have an issue. We would expect every senior executive in major organisations to be able to explain how GDPR affects them. And to know that there are robust plans in place to address those areas and the people in them.
‘Yes’ – That is a good answer. Can you equally say then that your organisation has looked at the impact from a people perspective? You want to know well in advance who will need to be performing and behaving differently as a result of GDPR and what the plans are to do that. You should be talking about this in your business if you are not there yet.
- Have you communicated the changes in requirements through the system? Yes ___ No ___
‘No’ – Perhaps this seems like something that will happen in due course. Maybe after the system changes have been identified. However don’t underestimate the complexity of what you are planning. Your contracts with suppliers may need to change – your suppliers will have a view. Negotiations may ensure. Your relationships with customers will need to be different. Asking permission to hold data is not enough for GDPR, you need to have a record of that permission and systems in place to track any requests to make changes.
‘Yes’ – You should have reviewed the individual rights then too and thought about how those might impact your business. Portability, for example, remains unclear to many but could have a significant impact if you look at it as a more complex version of mobile phone number portability. And the new word of the moment ‘pseudonymisation’. Does your business understand the risks and opportunities associated with that?
- Is every individual in the potentially affected business continuity? Yes ___ No ___
‘No’ – To put it another way: are there are business strategy and structure impacts. Including new roles associated with GDPR, like Data Protection Officer, for example. These are more than just title changes or new compliance people. There is a need to ensure “data protection by design and data protection by default” – which has significant implications in many businesses and for the people who work there. Then there are the many different ways that you will need to ensure consent, verify ages and respond to data breaches. All of these need a change plan too.
‘Yes’ – If the answer is yes then that is comforting response. So it’s worth asking a few follow up questions that might draw out some new areas for attention. Is the organisation aware of the implications and impacts for parts of the business that are not in the EU? Because there are many. Has a decision been made about which EU state to work with? Your lead authority will be important to you. And the durability of that relationship should be considered.
There are more questions to ask. And more discussions to be had. However, if the questions above yielded more than one ‘no’ you should be making further enquiries. The point at which GDPR becomes law is in May 2018. That is very soon. (We may be able to help.)
If your IT team or CIO are operating this as a purely technical programme then you have another issue. There can be no doubt that people will need to deliver the GDPR changes. And where people need to perform or behave differently there is an organisational change management requirement. We suggest you get in touch.
What is GDPR?
The General Data Protection Regulations (GDPR) is an EU Directive that was passed on the 26 April 2016 and comes into effect 25 May 2018. Its aim is to unify and update regulations within the EU to give citizens and residents better control over their personal data.
It does not require national governments to pass any enabling legislation but is directly binding and applicable. Perhaps its most notable feature for organisations – inside the EU and outside – is that is also includes a strict data protection compliance regime with severe penalties of up to €20M or 4% of worldwide turnover – whichever is bigger.
The broad and strict nature of GDPR has caused concern in many quarters. It applies to the data controller (anyone who collects data from EU residents) or processor (anyone who handles that data) or the data subject (person) based in the EU. That data can include: a name, a home address, a photo, an email address, bank details, posts on social media websites, medical information, or a computer’s IP address.
The Directive also highlights a number of individual rights:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- The right to not be subject to automated decision-making including profiling.
Each of these has its own different implications. However together they are far-reaching and complex.
GDPR also bring with it new roles in government and in organisations. There are many resources available. However the most important thing to know is organisations must act now.