Here’s an important date for your diary - 24th May 2018. That is now definitively when the new General Data Protection Regulation (GDPR) will start to be enforced. On that day, the two-year transition period from the current Data Protection Directive (DPD) expires and everything detailed in the Regulation will start to be assumed. So, what are you doing to prepare?
Research carried out by DataIQ has revealed that only 7 per cent of companies describe themselves as very prepared for GDPR. A further 48 per cent describe themselves as somewhat prepared - a term capable of differing interpretations, depending on whether you have the half-full glass view that they have started to plan, or a half-empty glass view that they merely know they will need to plan.
Given the long gestation period of GDPR, awareness of its arrival is high - 46 per cent of businesses say they are very aware of it, with a further 33 per cent somewhat aware (that ambivalent state again). You could argue that awareness should be nearly universal and preparedness much more advanced. But the duration of GDPR’s adoption - over four years since first draft - and some uncertainty over its ultimate date of adoption may have diluted this.
In fact, you can already find online countdown sites which are getting it wrong. GDPR was published in full today in the Official Journal of the European Union having been translated into all the official languages of the EU. But that is still not its final step into law - that happens (for obscure reasons) 20 days after publication. Hence the 24th May 2018 kick-off.
So is 750 days enough time to get ready? On paper, it might seem ample, until you do some simple maths. Over that two-year period, there will be 214 Saturdays and Sundays. Bank holidays in the UK will swallow another 16 days. That is before you factor in holidays and sick leave. Put another way, you have 520 working days maximum to transform your data organisation from its current DPD processes into a GDPR-compliant operation. Does that feel sufficient?
In our Impact research into Protection, we asked businesses how long it takes them to change a core data protection process. Despite the optimistic claims of 26 per cent to need three months or less, the average across all respondents was closer to seven months. Getting a process re-engineering project underway has its own lead-in time, of course, not least to specify the nature of the project and align budget and resources.
Those could turn out to be in short supply as everybody will be chasing the same outcome. Data recruitment specialists will be overwhelmed with briefs for a Data Protection Officer. IT vendors and systems integrators will be working everywhere to enable the recording of consents, monitoring of data use, and other GDPR-compliant processes across all data-driven systems.
Will your company be at the front of that queue? What about its internal capability to change culture and process where necessary? Unless you are one of that ready-to-go 7 per cent, you could find 750 days is not nearly enough.
Related articles: "4 things to do on Data Protection Day"