REUTERS | Dominic Ebenbichler

GDPR: one year to go and counting – what you need to do now

In the wake of the recent national ransomware attack and significant fines being imposed on Facebook and WhatsApp, it seems that data protection is hitting the front pages more frequently than ever before (see Legal update, Commission fines Facebook for providing misleading information about acquisition of WhatsApp). This is a trend that is only likely to increase as cyber attacks grow in ferocity, strength and impact, and with the advent of rigorous compliance requirements and substantial fines under the EU General Data Protection Regulation (GDPR) which becomes effective a year today.

The challenge for us as legal advisers is to ensure that data protection in general, and the GDPR in particular, hits the headlines within the confines of our own organisations, so that we are as ready as we can be for 25 May 2018.

The GDPR in many ways represents an evolution of data protection law. What was once best practice will morph into mandatory legal requirements. Concepts borne of good (information) governance such as transparency and accountability become compulsory. Given that many organisations have yet to get to grips with the current regime, the prospect of even trying to achieve compliance with the new regime can resemble a daunting and Herculean task.

I set out below suggestions as to steps that can be taken now to make best use of the next twelve months. There is undoubtedly a lot of work to be done, but in my view following the process described below will provide a road map and direction to what will be challenging times ahead.

The steps set out above will need to be adjusted to suit the nuances of the particular organisational and political context, and will to some extent require a cultural shift to a place where data protection is embedded in the daily DNA of everything we do.

But it is arguably the failure of the previous legislation to achieve that goal that gave rise to the need for the GDPR in the first place.  By adopting a systematic and organised approach, and backed up by buy-in at senior level, we can turn mission impossible into mission accomplished.

For further information, see EU General Data Protection Regulation toolkit and Legal update, ICO warns businesses to prepare with one year to go until the GDPR.

Ros Foster

Leave a Reply

Your email address will not be published. Required fields are marked *