The new General Data Protection Regulation (GDPR) may have been published in the EU Official Journal nearly two years ago, but by the time its provisions become directly applicable in all member states – the dreaded May, 25th 2018 – Gartner predicts that more than 50% of companies affected by the GDPR will not be in full compliance. The actual number of organisations that will fall short of full compliance may vary according to the survey, but one thing seems clear: many organisations have yet to address their data protection and privacy risks policies consistently and with an approach that goes beyond immediate compliance.
As we reach the end of what has a been a two-year transition period, some organisations are still deferring action as they rather wait and see what others will do and how and when each domestic regulator across the EU will actually enforce GDPR. Others simply believe that transferring the burden of GDPR compliance to third party entities will ensure their own compliance. Constantine Karbaliotis, Director and Leader of Managed Privacy Services at PwC Canada wrote what is probably the nightmare letter every GDPR affected organisation should fear. Despite being, hopefully, an unlikely worst case scenario, this exercise showcases some of the issues that will affect even those organisations that consider themselves GDPR ready.
The risks of non-compliance are high and have been broadly discussed in the media, especially in the past months, with polarised views ranging from the scaremongers who predict GDPR will bring down organisations that fail to comply to every fine printed provision, to those who do not really believe GDPR will ever be truly enforced or target more than the GAFA and some other high profile organisation. As history seems to prove, though, reality will likely be somewhere in middle.
Therefore, while the consequences of non-compliance should always be a concern, there are additional risks with regards to trust and reputation that must also be factored in. However, focusing solely on compliance and dismissing what should be the inherent capability development will actually expose the organisation to an additional risk: missing out on the benefits of the process and underlying opportunities for growth.
In a recent article about the key steps to improve your data protection policy, the Innovation Value Institute outlined some of these benefits: protection against costly data breaches, improved data and business management which will enable the organisation to perform and innovate at much higher standards and trustworthiness.
With the growing pervasiveness of data driven technologies and all their much anticipated business opportunities, we should also expect an increase in cybercrime and in concerns about data privacy and security. Would you willingly share your personal data with an organisation that is unable to ensure GDPR compliance? Probably not. And how would your business continue to thrive if it were unable to at least access its customers’ data? It definitely would not.
Although the jury may still be out on the level of GDPR enforcement organisations big and small will experience, consumers and society as a whole are already demanding a thorough responsible use of data by every organisation. Those who are unable to provide that assurance will not just be performing at a lower standard than their competitors, but actually risk not performing at all.
So, whether the crackdown on non-compliant organisations begins at the stroke of midnight of May, 25th or at an uncertain later date, whether it will target every organisation or just some of the high profile ones, there is little doubt that failing to properly address data protection and privacy risks policies will have a major impact that goes beyond the direct consequences of non-compliance with GDPR.
All things considered, GDPR, with its set deadline, may end up being not a bureaucratic, operational and legal conundrum, but exactly what organisations needed to push them towards the performance standards they should already be at and that society requires before accelerating adoption of new technologies.
Do you consider your organisation will be GDPR ready before or by the deadline or have you just realised how distant that end goal is? No matter what stage in the process your organisation is currently in, getting a clear understanding of where your organisation stands is key to not only achieve and exceed that goal, but also to truly capitalise on all the benefits and opportunities it entails.
Through an approach that focuses both on compliance and capability development, IT-CMF’s GDPR readiness assessment will give you an in-depth analysis of organisational and individual capability in relation to data protection, identify capability gaps and define capability improvement paths as well as ensure that, as far as possible, your organisation is GDPR compliant.
Do you want to explore the value of IT-CMF’s GDPR readiness assessment for your organisation? Contact us or get in touch with your local CIONET teams for more information.