“GDPR is more of an evolution than a revolution” of the current Data Protection Act, said Peter Brown, senior technology officer, Information Commissioner’s Office and speaker at Infosecurity Europe 2017.
With the GDPR coming into force in less than 12 months’ time, Brown presented a session on where organizations should be now in their journey to GDPR-readiness.
Concerning best approaches to compliance, he said that “the carrot might actually be more effective” than the stick, adding that the potential opportunity GDPR compliance affords from a data protection standpoint could inspire companies more than the threat of fines (the stick).
“Don’t think of the money you may lose in a fine”, Brown said, “think of the money you may make if you get things right.
“Individuals are less likely to take up new services if they do not trust the provider to keep their data safe. Businesses that understand this will be in a better place to gain an advantage.”
GDPR offers an opportunity to do things properly and not just think about how much money you could lose or how much damage you could sustain to your reputation, think about what you could gain if you get it right.
So where should you be now? Whilst Brown admitted that this can vary depending on the type, size and requirements of your organization, he outlined 12 steps that companies should consider to gauge where they are and see what they may need to work on, which are:
1. Awareness
2. Information you hold
3. Communicating privacy information
4. Individual’s rights
5. Subject access requirments
6. Legal basis for processing personal data
7. Consent
8. Children
9. Data breaches
10. Data protection by design & DPIAs
11. Data protection officers
12. International
“The biggest problem is going to be those businesses who may recognize they have work to do, but haven’t actually done anything about. That’s the problem we’re going to have”, Brown concluded.