MAR K EVANS
Now that GDPR is embedded in British law, how are businesses reacting? A consultant shares his early experiences and what we can learn from them
Now that GDPR is embedded in British law, how are businesses reacting? Consultant Mark shares his early experiences and what we can learn from them.
Ifound myself at a crossroads, one no doubt familiar to many PC Pro readers. I’d taken the IT function within my employer’s business as far as it could go and, in doing so, put myself in a position where I’d have to take a step back with a new employer and do it all over again – or set off on my own in a specific area. The fact you’re reading this suggests the route I chose, but what about the area?
It helped that I had a long-running interest in data protection and cybersecurity, along with the relevant certifications. It was time to put those to use in my own business. But that makes it sound like my education stopped, which is far from the truth. I’ve had some time to engage with different businesses since making the switch, and have come to appreciate the impact of the General Data Protection Regulation (GDPR) on organisations large and small.
Question the unquestionable
My first insight is that there was no possibility of selling the idea of “first mover advantage” with regards to conformance of GDPR. It was seen as a hurdle to be crossed with no financial return. Conversely, several organisations with whom I worked saw GDPR as an opportunity to spring clean. In an environment where “return” was sought from adopting the requirements of the regulation, some businesses approached their data, both digital and paper-based, with admirable pragmatism.
One organisation effectively said, “Do GDPR to us!” and it was pleasantly surprised to find that one exercise – a data-mapping session – led to it being able to destroy paper archives that it had no legal basis to retain. The saving? Tens of thousands of pounds per annum in reduced storage space in a London facility. The impact? None. Apparently, no-one ever reviewed the paper, but no-one had the time to review the necessity for such storage. GDPR gave this firm the time for reflection and it paid dividends, even before taking into account the potential sanctions regime that came into force on 25 May.
My takeaway? Question the (often) unquestionable. The paper data was costing a small fortune to store but it was almost an article of faith that the data was untouchable, up to the point where GDPR required some introspection. The paper-based data wasn’t adding any value to the business. It was presenting a potential vector for a data breach. Taking a view that the data should be destroyed was a win-win for the organisation in terms of removing non-compliant data, removing opportunities for the data to leak, and also costs of storage.
Power of leadership
I ran a GDPR training session for a small company involved in residential care in Nottinghamshire. I was pleased to discover that the heads of the organisation’s care homes were in attendance. As was the MD. He was an impressive individual, with a background in corporate law. He listened, asked pertinent questions, and was satisfied with the need for the regulations. As such, he interrupted me on several occasions to stress to the care home managers that figuring out how the regulations could be adopted practically in an organisation that was primarily paper-based was non-negotiable and a priority.
Coming across senior management who will engage with the regulatory requirements of GDPR has proven to be something of a rarity. I’m surprised, because the regulation has some strenuous sanctions for organisations that, by act or omission, fail to comply.
Here, the MD had taken a half-day out of his schedule to fundamentally understand the changing regulatory landscape and to underline and endorse the effort to comply, leading from the front. His care home leaders were quick to understand what was required and came up with pragmatic suggestions and ways in which GDPR could benefit them and their residents. I came away enthused by their new-found zeal!
If you work for an organisation that handles personal data, where senior management is seeking to ignore the regulation, my advice is to get a job somewhere else, quickly. Data protection will become a standard by which organisations are judged. We’re still in the early stages of adherence, but it won’t be long before we have employees who know no different.
In an environment where the search for talent is growing eversharper, the lack of engagement with GDPR from senior management will snowball through an organisation as staff leave to work in a “safer” environment, unthreatened by potentially business-ending fines and reputational damage, and new staff will prefer to work in a place that has a mature attitude to data protection.
At this point, there might be some thinking: “Well – you work in data
“New staff will prefer to work in a place that has a mature attitude to data protection”
protection, so of course you’re singing the praises of data protection!” But it will take only one Gerald Ratneresque comment from a senior manager to drive a long-standing business into treacherous waters. At that point, the value of data protection and privacy will become an existential concern of senior managers and shareholders. It’s likely to mean more regular, heightened scrutiny from supervisory authorities, too…
High stakes for stakeholders
Assessing an organisation for its conformance to GDPR is a multistakeholder undertaking. It isn’t the job of one business area in isolation. Done properly, key stakeholders are involved for their input and to assess the cultural drivers within any business. The “micro” cultures in many businesses need to be persuaded to involve themselves and to drive towards achieving a defensible position, if the organisation is ever faced with a data-protection audit. This, in turn, requires strong senior leadership, as mentioned above.
Peter Drucker memorably said, “Culture eats strategy for breakfast.” If you need to address key cultural aspects of the business, it needs buy-in across the organisation. It needs praise or penalty directed to employees to enforce. If you can sell the idea of improving the efficiency of the business by adopting responsible data-handling and the avoidance of penalties, the culture will gradually change. I’ve seen organisations whose expectation is to “have GDPR done to them” and it really is a waste of time and effort. A thin veneer of compliance will peel away as people go back to their tried-and-tested processes, those that may lead to data breaches and a negative outcome for the organisation.
Borrowed time
I smile wryly when I hear people say, “It’s after 25 May and nothing has happened, so it’s all a bit ‘Y2K’, isn’t it?” Anyone who believed that the Information Commissioner’s Office (ICO) would be hitting an organisation with a €20 million fine on 26 May doesn’t understand the legal system or how investigations work. The ICO isn’t going to wave a magic “sanctions wand” and attack UK businesses indiscriminately.
The ICO has a tightrope to walk, in terms of sanctioning organisations. The fastest way to undermine its work is to apportion fines and force businesses to go under. Fear isn’t a supportive environment for business, and so the ICO is seeking to undertake a consultative role with business in general. This was never going to kick into action on Friday 25 May, immediately before a Bank Holiday weekend. This will be a slow-burn. Once the regulation is embedded in UK Plc under the guise of the Data Protection Act (2018), woe betide any organisation whose sole response to a data audit is a plaintive, “We’ve tried nothing, and we’re all out of ideas!”
A band of brothers (and sisters)
My biggest surprise, however, has been in the body of keen, driven people who have engaged with the regulation and undertaken reams of paper-based study to help guide organisations. Yes, there are total charlatans out there, offering poor advice for a very good fee. But I’ve seen more camaraderie, more passing of information and, yes, more opportunities, between data-protection operatives than in any other sphere of IT throughout my career.
There are excellent consultants out in the wild, offering advice to organisations from managers of social clubs to social media entrepreneurs, all with a drive to protect the organisation and their data subjects.
Is this a self-serving echochamber? Not at all. Robust arguments are pursued as people deal with the start of the biggest shakeup of data privacy we’ve seen. GDPR is making waves. The state of California has pursued very similar legislation and the effect on Silicon Valley is only now starting to appear. Other countries are seeing that GDPR is workable, putting the data subject (you!) back in control of his or her data. The end result is a higher standard of data privacy consultancy.
As is the case with people and businesses: change is life. GDPR is just another change through which people and organisations will have to evolve. I’m certainly glad that I’ve had the opportunity to engage with people who are pursuing their position within the regulation, either as business operators or consultants. It’s a refreshing change. And the story is still in its preamble for everyone.
“If you need to address key cultural aspects of the business, it needs buy-in across the organisation”