', 'auto');   ga('send', 'pageview');

News » Deprioritising GDPR – Is it a Risk worth calculating? 2017-03-28

Article Taken From Christophe Baur First Published on Linkedin

In a blog published Feb 9th, 2017 by Monica McDonnell put the implementation of GDPR on the table. This reminds me of a surprising approach to this hot topic a speaker (big-four consultant) exposed to a somewhat sceptical crowd. In summary: Considering GDPR commands a risk-based-approach for all your personal data processing. What if you decide to do nothing to comply with GDPR by May 2018? 

 Europe’s General Data Protection Regulation (GDPR) comes into force in May 2018. Companies who store or process personal information on European individuals (EU + EEA affiliates) would have had two years to understand the requirements and formulate a strategy for compliance.

Management of organization will consider 3 questions when considering GDPR implementation project.

  1. How much effort is necessary to ensure full compliance with GDPR?
  2. Will national data protection authorities stick to date originally stipulated and enforce the text?
  3. Estimate the risk probability of being fined (administrative fine except in 1 Member State)?

We all know organisations have limited budgets, and many are being pressed by shareholders, owners and boards of directors to show positive return on every euro invested.

Question 1 will not be an answer senior execs will appreciate. GDPR on the surface looks costly. It requires organisational change with on top the appointment of a data protection officer, affects business processes incl. marketing (how do you gain and record consent) and potentially most challenging – it requires you to be in control of the entire set of personal data that could reside on premises, in the cloud or with business partners. 

Depending if the answer to question 2 is “no” or “probably not” or the answer to question 3 is “low”, a decision to allocate budget to projects that positively affect the bottom line vs. a compliance project may be considered by management as being very tempting.

Having spoken with the data protection authorities I am convinced we will witness an early and regular activity in terms of investigations into breaches of the regulation. All across the EU, the supervisory authorities are recruiting legal and IT experts thanks to significant budget increase. Moreover, accountability principle and the reversed compliance proof will simplify their investigation (register vs on-site investigation).

But, first things first – how real is GDPR in terms of timelines and enforcement?

Here are my top 3 reasons why I believe DPAs will begin enforcing GDPR in May 2018:

(A) There are no dependencies

Unlike other indirect regulations (Directives), there are no excuses for either the national regulators or industry to delay compliance or water down requirements. Article 29 Working Party will release implementation guidelines or clarification soon. National regulators can adapt GDPR to local requirements (54 points are open) but GDPR is applicable by itself and everything you need to know about compliance has been published. Remember, GDPR is only an evolution of Directive 1995 not a revolution. Data protection is not new territory – legal advice is to hand for those who need it.

To read the full article, click here, link opens in a new window

Talk to our privacy experts today!
Or click here to enquire