{"id":4398,"date":"2017-02-06T16:33:02","date_gmt":"2017-02-06T16:33:02","guid":{"rendered":"http:\/\/www.chaordicsolutions.co.uk\/blog\/?p=4398"},"modified":"2017-02-07T12:09:50","modified_gmt":"2017-02-07T12:09:50","slug":"now-that-the-fog-is-clearing-on-gdpr-its-time-to-speed-things-up","status":"publish","type":"post","link":"https:\/\/www.chaordicsolutions.co.uk\/blog\/gdpr\/now-that-the-fog-is-clearing-on-gdpr-its-time-to-speed-things-up\/","title":{"rendered":"Now that the fog is clearing on GDPR, it\u2019s time to speed things up"},"content":{"rendered":"

\"\"<\/a>When did you first hear about the\u00a0General Data Protection Regulation (GDPR) legislation and the need to comply with it by May 2018?<\/p>\n

 <\/p>\n

Was it recently or possibly many months ago, when the legislation was formally adopted<\/u><\/a> by the European Parliament in April 2016? On the other hand, GDPR compliance activities might have been on your organisation’s radar even earlier than that.<\/p>\n

There is a good chance you have\u00a0already heard something about GDPR although\u00a0maybe you have become overwhelmed with it all, hoping that the inconvenience of having to comply\u00a0would conveniently and quietly go away.<\/p>\n

But then\u00a0you might\u00a0be reading this article as someone who is working for one of the few organisations that have already started their GDPR implementation activities and are on track to achieving compliance by May 2018.<\/p>\n

It is now clear that the legal requirement for your organisation to comply with GDPR is not going to go away and\u00a0the associated end date is not going to\u00a0change either.<\/p>\n

If you have still not started your implementation activities yet, the risk of non-compliance is therefore significantly increasing for your organisation and its investors.<\/p>\n

Opportunities<\/strong><\/p>\n

GDPR is not something to fear.<\/p>\n

It presents many\u00a0opportunities to add value to and protect your business, provided you open your mind to the important point that it\u00a0is not just another piece of technical compliance work<\/strong> you give to your IT people,\u00a0as discussed in an earlier post<\/u><\/a>…\u00a0it is a fundamental change to the way we handle data within our organisations.<\/p>\n

We must also remember that this is the first major revision of data protection and privacy legislation for over twenty years so, if properly implemented, will present many opportunities for better protecting both individuals and organisations in our ever-increasing digital and interconnected world.<\/p>\n

As the UK Information Commissioner, Elizabeth Denham, emphasised in a recent speech<\/u><\/a>, accountability is a key change under GDPR. She went onto to add \u201cIt\u2019s about moving away from seeing the law as a box ticking exercise<\/strong>, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.\u201d<\/p>\n

Approach<\/strong><\/p>\n

If you haven\u2019t done so already, the time has now come to face into reality and accept the complexity<\/u><\/a> of what is needed within your organisation to comply with this incredibly challenging but exciting piece of legislation<\/p>\n

The complexity needs to be managed with care since the implications of non-compliance by May 2018 are significant with those accountable in the boardroom in scope for potential criminal prosecution, as well as the already widely publicised potential\u00a04% of turnover fine and associated reputational damage.<\/p>\n

However, it is still not clear that this accountability is truly understood by many boards\u2026 as reflected by the number of GDPR programmes that have still yet to start or are woefully underfunded.<\/p>\n

So what is needed?<\/p>\n

The first step is to setup up a programme\u2026<\/strong> on an enterprise-wide basis to manage your implementation activities, with strong boardroom sponsorship involving all key stakeholder groups within your organisation.<\/p>\n

The second step is to structure your programme<\/strong>\u2026 by deciding whether to use an already implemented methodology or by selecting a more appropriate one to help direct your critical privacy related activities.<\/p>\n

The third step to then tailor your selected methodology<\/strong>\u2026 to reflect the realities of the organisational environment in which it is being used, and to integrate any associated privacy related frameworks and supporting tools<\/u><\/a> which\u00a0are also needed for your organisation.<\/p>\n

The fourth step is to plan your programme\u2026<\/strong> involving all key stakeholders and the way in which you have decided to organise your programme activities.<\/p>\n

The fifth step is to launch your programme and support it<\/strong> with an appropriate level of resource (and funding) given the challenges that the programme faces within your organisation.<\/p>\n

Challenges<\/strong><\/p>\n

The challenges each organisation will face will be unique, reflecting a rich and varied mix of different factors including:<\/p>\n