Robert Baugh of Keepabl is a leading expert on GDPR and a consultant to companies where data protection and the management of confidential and sensitive data is paramount. Only two months to go – his advice on your preparedness for the new data regulations may surprise you…
As everyone knows by now, 25 May 2018 is the day the EU’s General Data Protection Regulation (GDPR) comes into force. All businesses established in the EU – and those who target or monitor individuals in the EU – will have to comply with the GDPR’s new regime for the protection of personal data.
So where’s your main exposure right now? Regulatory fines, right?
Many GDPR commentators are leading with the greatly increased fines. And they are immense – up to €20m or 4% of global turnover if greater. But while fines, and therefore regulators, are certainly in the limelight right now, that focus is misplaced. No matter how professional they are, regulators tend to be under-resourced, and reactive rather than proactive in their enforcement activities – and that level of fine still won’t appear until after 25 May.
The real pressure now is from customers – your revenue source. Stakeholders in most businesses and certainly larger businesses are pushing for GDPR compliance by May. A large part of compliance in today’s networked world is to do with vendors who carry out so much of an organisation’s business in one way or another.
GDPR should really only impact vendors that are also ‘processors’ – who process personal data on behalf of the ‘controller’, their client. But the net has gone wide and is capturing almost all vendors as Vendor Due Diligence policies are revised and sent out to test GDPR readiness.
I’ve been advising clients sending these out and receiving them, in the EU and overseas. If you’ve not received a GDPR readiness questionnaire from a customer yet, you can expect one to hit your inbox very soon.
And GDPR-driven vendor due diligence is already having a real-world impact: Cisco’s 2018 Privacy Maturity Benchmark Study revealed that 65% of businesses are experiencing sales delays due to privacy concerns.
In the UK, the average sales delay was 9.3 weeks. That’s an average delay of more than 2 months in sales – and the knock-on effect on cash flow – right now, still with more than 70 days to go before the GDPR takes effect.
Logically, the better prepared you are – and able to show it – the better it will be for your business and this is borne out in Cisco’s results: the sales delay is an average 3.4 weeks for privacy-mature organisations but an eye-watering 16.8 weeks for the privacy-immature.
So don’t sweat the fines just yet, focus instead on telling your customers how well your compliance project is going and keep that revenue flowing. Take the lead and offer GDPR-compliant contract amendments at the same time. Trust me, that will go down very well.
In a very welcome speech on 12 September 2018 to the CBI Cyber Security: Business Insight Conference, James Dipple-Johnstone (ICO Deputy Commissioner, Operations) summarised the UK ICO’s approach to security under GDPR and…