GDPR won’t affect us!It’s his issue, not mine

I’ve just met with an IT Director at a medium sized business with around 250 employees. During our conversation, the subject of GDPR came up with the experienced IT Director stating, “This GDPR thing won’t affect us. It’s like the Y2K bug, mass panic about something that will never happen”.

When I asked him to explain further he spoke about how GDPR is a European Law and even though he understood it would be accepted into UK law he said it would be repealed soon after Brexit and that the Information Commissioners Office (ICO) wouldn’t enforce it in the interim.

I must say that I was a little surprised at his comments as it is already accepted that GDPR will not be repelled and is here to stay in UK law. Not only that but the legislation applies to (PPI) Personally Identifiable Information relating to EU citizens of which the business I was meeting with, employed a high number.

Getting The Facts Straight

The ICO have already stated that they will fully enforce GDPR and were one of the key members who assisted with the creation of the legislation to replace the out dated and inadequate Data Protection Act. The ICO have also published guidelines to businesses about the steps they need to take and how the law may affect them.

When I asked the IT Director if he had read any information about the GDPR he explained that he had not as the ICO would not fine a company of his size if they had a breach and he probably wouldn’t tell them if he did have a breach. I did explain that any business is legally obliged to disclose a breach and failure to do so could be a criminal act. I also knew that GDPR was going to be applied to all businesses equally and the likelihood of a fine, if a breach occurred and the business had not taken all reasonable steps to prevent it, would be high.

GDPR is a game of tag!

The IT Director in question followed his last comment up with “Anyway even if this stuff is enforceable, it’s not my problem, someone in HR needs to own it as it’s a compliance thing”. I didn’t like to break it to the IT Director that I had met with the HR Director earlier and he had said “it isn’t a HR thing, it was an IT issue”.

Unfortunately both the IT Director and HR Director are so busy burying their heads in the sand and trying to shift ownership to each other that no one is actually looking at the simple things the business can do to address GDPR and ensure compliance.

It makes me wonder how many other businesses and senior managers are out there with the same illusions and not doing anything with the clock ticking down. They don’t need to spend lots of time and money on this issue but doing nothing will surely mean they will end up in a hole?

If this sounds familiar and you would like to start discussions around what you should do to ensure you are ready for GDPR then get in touch with us today.