Most organizations know by now that the EU General Data Protection Regulation (GDPR) deals with any information that can be linked to an individual in any format and any medium, and applies to all EU member states and EU citizens, including international companies with EU operations or customers. However, fewer organizations know how it will impact their operations, when such radical overhaul of data protection laws will be enforced in a few months time. While most organizations have started investigating the journey to become GDPR compliant, a recent estimate from Gartner shows that more than 50 percent of companies affected by GDPR will not reach full compliance before May. According to a Deloitte study only 15% of organizations surveyed expect to be fully compliant by 25 May 2018.
This article is not an attempt to provide a guideline or an action plan of all you need to know in regards to the new regulation, nor is it a resource of educational material or an article explaining the provisions of the GDPR to make organizations fully compliant. Instead, what we want to do is to provide you with some suggestions about what organizations need to consider on their GDPR journey. We believe many specialists have already come up with their take on how the framework will impact individuals and organizations, and how to approach and prepare internally. Therefore, if you are interested in reading articles, we have provided a selection of the articles or reports we find interesting in regards to GDPR.
No change is made overnight – it is a long haul
When it comes to compliance people are still confused, and often regard GDPR as a rather fluffy framework. GDPR is based on guiding principles rather than rules, which makes it challenging for organizations to grasp the extent of their GDPR compliance projects. At the same time, companies see the challenge in the fact that principles must be implemented within the unique context of their organization, making it hard or even impossible to standardize across companies or industries. It places great demands on which specialists the organizations should hire.
Many companies are in urgent need to find IT specialists with sufficient knowledge about GDPR, security and privacy skills, specialists that can forecast how the regulation will impact organizations, and specialists that are able to navigate and put the principles into practice. It is vital for both the public and private organizations to find these IT specialists that can own the GDPR compliance programs or projects within their organization. The demand for such specialists is booming, and organizations are fighting to get the few specialists that are currently available on the market. On one hand, we see a large demand for specialists within the organization, such as IT specialists, lawyers and employees working with compliance of GDPR, who are required to have exhaustive knowledge about the GDPR principles. On the other hand, organizations also demand the remaining majority of specialists, working on other projects not directly related to GDPR implementation, to have some general knowledge about the principles to reach full compliance of the entire organization.
GDPR compliance involves everyone
Organizations may benefit more from hiring GDPR specialists that are part of the GDPR program, right from assessing the GDPR readiness of the organization to executing the necessary business processes, to monitor adherence to GDPR principles throughout the organization rather than buying a one-time package solution or report. Organizations must understand that GDPR is an ongoing process, where people have to carry out ongoing checks to whether or not they are compliant. With GDPR being a rather challenging framework to implement, organizations require more from the specialists they hire to handle GDPR compliance. It is crucial that the specialists understand the unique organizational context of the organization in order to respect the well-established processes and activities.
Organizations should be careful to place the GDPR responsibility within one department or function. However, while the GDPR framework should not be displaced and kept within the IT department, IT does play a crucial role in systematizing the organizational change that GDPR entails. Therefore, the IT department often takes the main responsibility. There is a tendency of disconnecting the perception of being compliant and the reality of compliance within the entire organization.
Habits are hard to break
Organizations must realize that full compliance is not something that is reached overnight. It is about learning and transforming the current organizational procedures and processes. The organizational change that needs to take place with reaching full GDPR compliance is a long haul, and challenging for most organizations. Employees and consultants have to undo the habits they have established for certain work processes, when it comes to handling private information. People gain tacit knowledge that is developed over time and through experience by trial and error. And just as riding a bike, people complete activities without paying attention to why they do as they do. With the new GDPR framework, organizations must replace the procedures and processes followed previously, with new ones that will make the organization fully compliant. This can be a challenging process, and it often requires more than a paper describing what procedures and processes each individual must complete to follow the respective organization’s GDPR guidelines. It is crucial for organizations to continuously train and educate their employees in order to make them understand the new procedures and processes, so that it becomes an automatic activity during their daily work flows. A big task for GDPR program managers will be to ensure ongoing monitoring and reporting to deliver full compliance.
Stay ahead of the game
Change often comes easier, when people realize that the new methodology, processes or technologies to be implemented result in more efficient or productive processes. The fact that GDPR (as well as most other regulatory interventions) will not necessarily lead to more efficiency or productivity, but rather to a certain extent can be a direct burden to digitization, will make it difficult for organizations to convince people to make the necessary transformation. However, the truth is that the faster organizations master the organizational change required to reach full compliance, the more likely it is for the organization to stay ahead of competition.
In 7N we strive to be at the forefront of the GDPR framework, and we continuously offer training for our IT specialists to ensure they have the skills needed to help organizations to stay ahead of competition.
If you are interested in hearing more about our GDPR specialists, please contact one of our Agents.
If you are a 7N consultant, we will offer you a GDPR certification in the end of Q1 2018. Please send Anders Søgaard an email for more information (ansoe@7N.com).
Read more about GDPR (our references):
- Datatilsynet (Danish Data Protection Agency), 2016. Velkommen til Datatilsynets hjemmeside om EU's Databeskyttelsesreform. [Online in Danish] Available at: http://www.dbreform.dk/
- Gartner, 2017. Gartner Says Organizations Are Unprepared for the 2018 European Data Protection Regulation. [Online] Available at: https://www.gartner.com/newsroom/id/3701117
- Deloitte, 2017. Deloitte GDPR Benchmarking Survey. [Online] Available at: https://www2.deloitte.com/nl/nl/pages/risk/articles/gdpr-benchmarking-survey.html
- Daniel, M., Rowshankish, K., Soller, H. & Stamenov, K., 2017. Tackling GDPR compliance before time
runs out. [Online] Available at: https://www.mckinsey.com/business-functions/risk/our-insights/tackling-gdpr-compliance-before-time-runs-out#0
- Mikkelsen, D., Soller, H. & Strandell-Jansson, M., 2017. McKinsey&Company: The EU data-protection regulation—compliance burden or foundation for digitization?. [Online]
Available at: https://www.mckinsey.com/business-functions/risk/our-insights/the-eu-data-protection-regulation-compliance-burden-or-foundation-for-digitization