GDPR. With just months to go it’s inescapable and all the hysteria surrounding it is finally coming to a head. European companies are now staring at the deadline date as if it is the barrel of a gun, and a loaded gun at that. Everyone is trying desperately to achieve “compliance” without even knowing what that fully entails.
Preparing to abide by the new requirements it will impose has become a top priority amongst both SMEs and large enterprises, but not nearly as much as for many IT security vendors who have suddenly, conveniently, become experts on the subject.
“Failure to prepare is preparing to fail” seems to have become the new mantra for these vendors who have well and truly boarded the GDPR band wagon. All the revenue-hungry sales reps are using the same pitch: “start buying this (our) product now or it’s game over when dawn breaks on 25th May 2018.” They’re perpetuating the threat of the significant financial repercussions and legal consequences that lie in wait for businesses who do not comply and offering what appears to be a simple solution: a product that will transform your organisation into a GDPR compliant one.
But how can they guarantee compliance when GDPR as yet is not fully defined?
Well, the truth is, they can’t...
At this moment in time, GDPR as a concept is incomplete across all areas. It is not a destination that organisations can ‘arrive’ at by adopting new products or services. Why? Because it simply doesn’t exist yet.
As the deadline draws closer, the urgency creeping into conversations about GDPR is heightening but somewhat unfounded. Admittedly, some aspects of the legislation are black and white - such as the detailed (and expanded) definition of what constitutes personal data – but they’re surrounded by many more that are currently very, very grey. Therefore, the GDPR puzzle is missing several key pieces and you cannot possibly begin to define it as a whole or act with 100 per cent certainty. Essentially, much of the rushed, panicked preparation being undertaken by organisations and endorsed by security vendors is futile.
But could you be at risk of potentially devastating fines on 25th May 2018?
Well, history tells us that this will not be the case. The Data Protection Act, for example, came into force in 1998, but it was actually 2010 before the first fines were issued by the Information Commissioner. The likelihood is that GDPR won’t be an overnight change either, mainly because it’s just not realistic. As with every step into the unknown, the legislation will be a learning curve for all involved, and therefore a cross-over period and a bit of leeway for organisations having to adjust their attitudes towards data will naturally be required and probably granted.
That’s not to say that all anyone can do right now is sit twiddling their thumbs waiting for all aspects of GDPR to become crystal clear. Detailed preparation for GDPR when certain aspects of it are still so unclear is pointless, but that doesn’t have to stop you preparing to prepare.
So, what can be done?
The most important action that your organisation can take in the lead up to GDPR is to remain calm and shut out the noise. Don’t get sucked in by those vendors who have jumped on the GDPR bandwagon, and don’t rush to spend your budget based on their false promises and exaggerated threats of immediate financial doom should your organisation not be 100 per cent compliant before deadline day. The truth is that, at this point all that vendors can really do is ensure that a customer is no less compliant after purchasing their services.
Instead, focus your efforts on beginning to think about what the new definition of personal data means to your business. The upcoming legislation will change the way that organisations collect, store and use data; it’s all about understanding what you have and where it is held. So, whilst an internal audit of your systems, alongside a review of any existing data management practices, won’t make your business ‘GDPR ready’ as such, it could be your first step on that journey and will probably help you in the long run. Let’s face it, it’s good business practice anyway.
You should also bear in mind that the implementation of GDPR is not something that can just be glanced at and signed-off, or passed along, by board members. Over the years, there’s been a noticeable shift in the way that technology is regarded within businesses. The challenges of network security, digital infrastructure and data management are no longer just problems for IT teams and legal departments to deal with. Likewise, when it comes to GDPR, every single person within the business has a responsibility and must play an active role in implementing and complying to the regulation. So collaboration will be key during the transition process and beyond. Although all departments within the business will have their own preparations to take care of, the overall GDPR effort should be a united one.
Unfortunately, right now there is no vendor, no service and no product that can make an organisation 100 per cent GDPR ready. That level of compliance is not possible when all the rules are not yet stated. To get to that place, it’s going to be a long journey, and one that will almost certainly exceed the deadline of May 2018. However, it’s a journey that we all must be part of together.
Richard Walters, Chief Security Strategist, CensorNet
Image source: Shutterstock/Wright Studio