There’s little doubt you’ve been drowning in GDPR content over the past months with the deadline just around the corner.
Businesses around the world have been scampering to get their data protection practices in line with the imminent regulations as the consequences are quite steep – fines of up to 20 million euros or 4 percent of total worldwide annual turnover, what ever is higher – and there is the general belief the European Union will be seeking to make early examples of non-compliant companies to prove the GDPR has ‘teeth’.
But how can you sift through all the content and get a simple straight answer? Fortunately I was able to catch up with Henley Business School GDPR Programme executive fellow and director Ardi Kolah at the recent SolarWinds MSP Empower MSP event held in Amsterdam.
“One of the things that we have to focus on is that this isn't the end of a journey. In many respects the 25th of May is the start of a journey. Up to that point there has been a transitional period,” says Kolah.
“The GDPR is in fact active now and was adopted by the European Commission back in April 2016. Because it touches the deep tissue of all organisations regardless of sector, the European Commission gave those organisations and member states time to get ready - two years - for what this new landscape would look like.
Kolah says all the headlines reporting a significant number of businesses to not be ready for the deadline are true in some respects as there are a lot of organisations that haven’t taken that opportunity and are now concerned about what's going to happen to them.
“In short, the sky won't fall in and the sun will still rise and set. What will happen though is that we are now working in a different landscape where we are processing people's data to a much higher standard than has been the case for the past 20 years,” Kolah says.
“That's a journey which we will continue to be on forever. Once we've reached those standards that we're expected to attain, we have to maintain them. It's about continuous improvement. If you're a global company, there shouldn't be a struggle, you shouldn't be panicking, and it should fit within existing policies, processes and procedures that you're doing anyway in order to maintain world class standards.”
Kolah says there is a lot of confusion around in regards to what the 25th of May will actually bring.
“It's the end of the transition period. You've been expected to change your policies, processes and procedures to be in alignment with these higher standards and effectively in very simple terms you're expected to identify what you're doing in terms of processing personal data of either high or very high risk,” says Kolah.
“You're then expected to have identified the relevant data to reduce it to a residual risk which doesn't cause harm and damage. Effectively, if you've recorded what you've done to reduce it from a very high risk to a residual risk by putting in appropriate organisational measures and recorded what you've done, should you have a data breach post the 25th of May you will have a narrative that you can put before the supervisor authority (and the regulator if you're in a regulated market) to demonstrate that you've taken all the steps necessary in order to mitigate risk. That in a nutshell is what you and I as individuals expect an organisation to do.”
Kolah stresses that it’s not just about reaching GDPR compliance, but growing and maintaining it – with the secret behind it being a rebooting of how you’re thinking about data protection, privacy and security.
What you may have done in the past may have been a bit of a tickbox exercise where you've done lots of stuff and data protection was an item on the list that you could tick when complete. Those days have gone. Everything that you now need to do in terms of products and services regardless of whether that's to be on a paid-for basis or even a free basis has to have data protection baked into it,” says Kolah.
“It's an approach that has been around for a very long time and it's called data protection by design and by default. That is now hardwired into GDPR as Article 25, which is not a very long article but we describe that as being GDPR in a box because if you can comply with data protection by design and by default you're effectively going to be compliant with GDPR.”
Kolah says the introduction of GDPR is well overdue as it is replacing 20 years of data protection laws and regulations that have essentially been a ‘patchwork quilt’ across the whole European Union.
“That created confusion, uncertainty, and an increase in cost - all things that are very detrimental from a business point of view. It's also not good from an individual's point of view because you weren't sure how your rights would be protected in Dublin vs London vs Athens vs Paris etc. That just doesn’t work anymore,” says Kolah.
“As technology has accelerated with the pace of change, the legal framework has been dragged and in a lot of cases stretched behind it. What the GDPR is trying to do is to actually update and create a framework that is not trying to stifle innovation but simply provide data protection alongside it.”
Despite this, there are a lot of organisations that say it’s a tradeoff between innovation on one hand and data protection and privacy on the other – something that Kolah says is incorrect.
“It's about doing more, not less, with personal data. And that depends on us deepening digital trust with those people that we're trying to involve with in a sense of products and services. That's really important because if we can build digital trust then we can do more with personal data, which is a real opportunity. The way we can do that is so simple but it does require a reboot in our personal thinking,” says Kolah.
“And it's this - we need to be transparent, accountable, and constantly think about putting control back in the hands of the individual. If we're able to do that and do it in a way that doesn't cause harm or damage when we're processing personal data, we will not survive but we will thrive because from a commercial point of view so many organisations are not currently doing this. If we're able to pick this up and see it as the opportunity that it really is then it will be phenomenally powerful.”
Ardi is releasing a book in early June titled The GDPR Handbook that is based on his programme at Henley Business School and uses practical experience built up over 20 years to present a solution in colloquial English - the only book to be officially endorsed by both the European Commission and the Information Commissioners Office in the UK.