This blog covers:
- Initial thoughts about GDPR
- Company-wide involvement
Here at Riverbank, we’ve been discussing the General Data Protection Regulations (GDPR) for some time now. We all knew they were coming, and that we needed to take action, but in all honesty, it took a while for us to actually kick into action.
I think a lot of this was down to fear – fear of the unknown, fear of the potential amount of work required, and the fear we all felt which made us not want to stick our individual heads above the parapet to volunteer to manage the project.
Then, a couple of weeks ago came crunch point. The date the regulations come into force was approaching quickly (it’s 25th May 2018 in case you don’t know), so there was no more messing around, we needed to decide who was going to run with it? Cue lots of looking down at the floor, and (completely valid) claims of having too much work already. But someone had to do it, and that someone ended up being me.
Now I have to be honest here, I don’t have a background in compliance – I’m Head of Operations at Riverbank and my background is in Service Delivery, but I worked for over a decade in a regulated industry (Financial Services), so I have a pretty good idea about the sort of things involved in ensuring compliance happens in the first place and continues on an ongoing basis. GDPR is going to affect Riverbank operations massively as well, so it kind of made sense for me to do it…
Since being given the responsibility, I’ve spent the last couple of weeks reading up as much as I can about the new regulations, getting to grips with the finer points and separating the fact from the fiction. Here’s a few things I’ve learnt:
1. The amount of work that will be involved will be colossal! I’m not exaggerating, this is going to affect everything we do, from our clients to our suppliers and everything in between. Anyone planning on waiting until the new year to get started will almost certainly either fail, or get it catastrophically wrong. My suspicions are that there will be mass panic come early 2018, as organisations come to the grim realisation that they have left it too late.
2. Everyone in Riverbank needs to be on board, or it will fail! I’ve been carrying out presentations to all staff about GDPR and the impact it is going to have. People have walked in to the room thinking “here we go, a boring hour of regulatory waffle, time for a quick nap”, and walked out with a look of fear at the amount of work involved coupled with genuine positivity that actually this could be a really good thing for Riverbank.
During the presentations, I had a lot of interesting & engaging conversations, with people asking questions about things I hadn’t even considered. This was really positive for me, as it feels like everyone is keen to make sure we do it right.
3. Riverbank process way more personal information than I had thought. You start thinking it’s just a few systems, and as you keep digging you come up with more and more areas that contain personal information that all need to be considered and dealt with. This has taken longer than I thought it would, and I’ve needed a lot of input from all around the business to find out exactly what people do, and how they do it. Personally, I already feel like I understand Riverbank much better than I did just 2 weeks ago.
4. It’s a great opportunity to deal with all of those “housekeeping” things you may have been putting off because they seemed to be too difficult or time consuming. Things like contract updating (you’ll need to do it for GDPR anyway, so why not take the opportunity to update the whole thing?) or supplier reviews (consolidating or rationalising supplier lists will mean less work needed to ensure supplier GDPR compliance). Make your GDPR life as easy as possible and do the same!
5. If you use cloud services that process personal data and are based outside of the EU you may not be able to continue using them when GDPR comes in to force, so you may need to consider alternatives. It is worth noting here that the USA is not on the EU approved list, so any US based cloud services will need to be investigated thoroughly to ensure that the organisation is signed up to the EU-US Privacy Shield framework.
6. Failure to comply with GDPR could genuinely be business ending. The maximum fine of €20m (or 4% of global turnover) would quite simply shut Riverbank down, and would do the same to large numbers of other organisations. Non-compliance is not an option!
7. GDPR is a massive opportunity for Riverbank (and any organisation for that matter) to become a much slicker, more effective and professional organisation. Yes, every organisation is going to have to comply, but if it is done properly it can be used as a differentiator to the competition, and leveraged to push your business forward.
When I started looking at GDPR, I was honestly terrified, but now I see it as something we can use to our advantage. It will most certainly drive a huge cultural shift within our organisation, which in turn will make us more effective, drive increased client satisfaction, bring in more revenue and create happier staff. I would suggest that your organisation could find the same benefits if you look at GDPR as an opportunity to excel, rather than an administrative burden. But, and this really is the rub, you need to start now.
Dave Garwood will be blogging regularly about his GDPR journey, including explanations of specific parts of the regulations alongside his practical experiences of the implementation at Riverbank.
At Riverbank, we can guide you on your journey to IT compliance, making sure your systems are in line with the new requirements. If you need an expert IT partner to see you through the process before the new rules kick in next May, give us a call on 01235 426700 or email firstname.lastname@example.org to discuss the details.