The EU General Data Protection Regulation or GDPR is already perceived as clunky, bureaucratic and an unpronounceable acronym. But it is a looming reality, now just 13 months away on 25 May 2018. It affects every organisation in every sector, whatever the size, that is handling any kind of personal data including payroll and HR.
The headlines so far have been mostly about the scale of the penalties, fines of up to €25 million Euro / Stg£22 million or 4% of global turnover. For lesser transgressions the fines can go to €10 / Stg£8.65 million and 2% of revenue. Apart from the sheer scale of the penalties they can be imposed by the data protection authorities in each country and so do not have to go through the courts.
But that’s the negative side. There are actually more positives. For a start, the GDPR regime simply carries forward—and stiffens, it has to be said—the policies of personal data protection that have been developing in the EU since 1995. Since the final document was published, most legal and other experts have endorsed it as a tough but fair framework. Our attitudes generally to the protection of personal data and privacy in Europe are more on the side of the individual than, say, in the USA.
But eminent authorities have suggested that the GDPR framework may become a Best Practice or Gold Standard for most countries in international trade. Like the US Food and Drug Authority standards almost worldwide it may rapidly become preferable to adopt and follow in the interests of successful trading rather than to opt out.
GDPR is essentially a legal requirement for compliance in all organisations. It is a management matter for policy and processes. It is not by its nature an IT matter. But in truth we all know that compliance with GDPR will be almost entirely dependent on IT systems, from apps and corporate applications like CRM to data storage to cloud to geographic and national legal boundaries. It will specifically involve smart data management and transparent processes.
One major difference in personal data protection under GDPR is that it will not be sufficient to be compliant—organisations will have to be able to demonstrate or prove that they are. It will not take a data breach to be offside. That means that every item of personal data in the organisation will have to be tracked down, its nature and location identified, all permissions checked and all processes logged. That is only possible with smart software tools and high-performance storage from vendors like our partners Dell EMC, a global leader in software and services, servers and data storage, and SonicWall, specialists in security and compliance solutions.