Why there is no need to panic about GDPR – lessons R2P has learnt on the road to compliance
By Lucile de Carbonnieres
Data Protection Officer
Please allow me to interrupt your frantic lives for a moment and talk about the fascinating subject of GDPR (come on, I cannot be the only one to find this “interesting”).
When my boss kindly promoted me to the “esteemed” position of Data Protection Officer back in October, I had a sinking feeling from his devious smirk that there was more to this than the glorious promotion I was led to believe I was getting! Call it female instinct if you like but it very quickly dawned on me that four letters in the alphabet would forever take on a different meaning for me. So what is GDPR and why are so many people having a right old panic about it?
In simple words the General Data Protection Regulation (GDPR) is a new European regulation aimed at protecting individuals and the immense trail of personal data they are shedding of their daily life on the internet when they interact with organisations (shops, banks, suppliers, doctors, schools, etc). With the GDPR, individuals are back in control of their own data and anybody holding (or processing) their data is a mere custodian who has to abide with their wishes.
GDPR has been called a ticking time bomb, a revolution, the biggest challenge to business in decades, and in private a lot fewer palatable words I cannot commit to print!
Reading all the press available on the subject you would be justified to feel like a 3rd class passenger on the Titanic watching the last life boat leaving. The hysteria is generally taking hold with the odd voice of reason telling you not to panic. If you are like me, the more somebody says “don’t panic” the more I have an irrational urge to run around in circles, arms flaying widely screaming that the world is coming to an end!
Those of you who are old enough to remember Y2K (Year 2000) will also remember similar panic and scaremongering: all computer software (including bank systems, government systems, clocks, television channels) were going to fail at one second after 23:59:59 on 31 December 1999. AS much as $600 billion are said to have been spent on planning for Y2K and building the necessary legacy infrastructure. It was certainly a fun New Year’s Eve to remember but somewhat disappointingly the impending doom never materialised.
So, what of GDPR? We know when the “bomb” will go off, 25 May 2018, and it is fair to say that GDPR already has had a profound impact on the way people conduct business and that a number of procedures, policies and “old-ways” will have to change like obtaining proper consent for using data and keeping the data you are trusted with secure and available. After all, the recent controversy involving Facebook and all the data it was “leaking” to other third parties is a good example of how people are looking to take back control of their own data.
The GDPR is a fundamental change for businesses that will require possible adaptations at every company level (senior management, sales, marketing, customer services, legal, compliance, operations) but it also represents a big opportunity to de-clutter and clean-up to create better and more agile companies. This new environment will also foster better trust between individuals and companies.
Don’t give into the ambient terror. Keep level headed and start preparing in small steps. The GDPR is neither confusing, difficult nor impossible. Start by assessing where you are with regards to GDPR, highlight areas of specific risk or concerns, work through your most pressing problems and set a plan for going forward.
I would not be doing my job properly if I didn’t tell you that we at Return2Play can greatly help our partners in being compliant with how they record children’s injuries. We have worked very hard over the past 8 months to ensure we have GDPR ready Processing Agreements in place and are confident we can support our partners fulfill their rights and obligations under the new regulation. We can also help provide training and are generally happy to help and work hand-in-hand with our partners who may encounter issues surrounding data. Don’t be shy, get in touch !
GDPR doesn’t start and end on the 25 May; it will be a “living” regulation for years to come so roll up your sleeves. The ostrich approach will not help you. What you don’t know can hurt you when personal data is concerned.