Why aren’t you preparing for GDPR yet?

As of April 2016, the General Data Protection Regulation has already been adopted but you have until 25th May 2018 before the authorities start enforcing the law and giving out those hefty penalties we’ve all heard about… so why are businesses still not preparing for it?

Stuart Grist, Sales Director of Metaphor IT has been in the IT business for almost 20 years and he gives his experience on why this is similar to The Data Protection Act 1998 and why business should be preparing for GDPR before the deadline date.

The Data Protection Act 1998

“Its January 2000, I am managing a specialist team of support engineers at a global software vendor Fujitsu and we are handling calls and incidents from thousands of end users a day. The Data Protection Act 1998 is coming into force in a few months’ time and we are clambering around trying to ensure we have all the new policies distributed out to staff. New staff handbooks, new Acceptable Use Policy, new Data Protection Act policy, new staff contracts, new CRM system to store end user information… the list is endless.

The law was given Royal Accent in July 1998 and the commencement date set for March 2000, almost two years warning to get our policies, processes, systems and people ready for the new law which carries new fines and bears criminal responsibility on those mishandling data. Yet here we are two months before go live, scrambling around like headless chickens trying to ensure that we are ready. Don’t get me wrong we had started talking and planning about the impact of the new law way before it was even passed through Parliament but no one did anything, why would they?

We had almost two years to plan and implement the changes required to make sure we were ready and compliant. Inevitably the task was much bigger than we had imagined and we had far less time to bring about the changes required, we had simply left it too late. It was a very stressful time for me and my colleagues, trying to hit the deadline, watching it pass, hoping and praying we didn’t have a data protection incident whilst we scrambled to get the staff trained and new systems and processes in. Three months later we were in a position where we were comfortable we had taken reasonable measures to ensure we complied with the new law. Then started the ongoing training and monitoring to ensure continued compliance”.

Why haven’t we learnt from this?

“Fast forward 17 years and here I am, older, greyer, wiser but watching the same scenario playing out again with almost every company I meet.

The new General Data Protection Regulation was passed into law a year ago with a commencement date for May 2018. Two full years of warning allowing companies to prepare and put systems in place to ensure they are compliant and have made reasonable efforts to protect sensitive data. 40% of the people I meet have not even heard of the new law, of those that have 90% tell me it’s someone else’s responsibility, or that they haven’t considered the business impact.

Worrying times because 17 years ago that was me and the business I worked for. However, this time around it’s different, worse, much worse. The new GDPR legislation is far more onerous on businesses, the fines are eye watering, the scope of what sensitive data is far broader and we live in a world of Cyber criminality which makes a data theft of some sort inevitable. Yet here we are with almost every business I speak to ill prepared to tackle this huge change of law, if they are even aware of the legislation in the first place!”

How can you prepare for May 2018?

“I am older and I would hope wiser this time around and my business has been preparing for this change for the last two years and we are still adjusting our processes and systems now as part of a continual security improvement plan. When the new GDPR laws come into place in little over 12 months’ time we will be ready and have prepared well. We will be ahead of the game and our competition, not scrambling around trying to get ready or even worse being fined from anyone of the EU countries able to act against us if we weren’t ready.”

If you aren’t sure on how prepared your business is for when the General Data Protection Regulation comes into force, you can apply for a GDPR Readiness Assessment to find out more.

Metaphor IT have a range of technology solutions available to help your business stay complaint under the new regulations. Read more about our Managed Cyber Security Service available to businesses of all sizes.