The 25th May 2018 is not an end date. Far from it. It marks the beginning of a new era in data protection but one that will continue to evolve as our online world continues to develop. So, although organisations will be required to be compliant with the General Data Protection Regulation (GDPR) from that date, it is an ongoing process, not Armageddon.
In the words of the ICO’s Information Commissioner Elizabeth Denham: ‘It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.’
For organisations with GDPR firmly on their radar it seems primary focus is on reaching a level of compliance come GDPR Day 1, but about Day 2 and beyond? Those who are fully compliant by 25th May will need to work hard to remain compliant. Those who are not yet completely ready will need to work even harder to reach and maintain compliance or risk substantial fines. The key factor to remember, however, is that it will be nigh on impossible to achieve perfect maintenance of absolute compliance. So, take comfort from the fact that the ICO has stated that those who are able to demonstrate that appropriate systems and thinking are in place will find that the ICO takes this into account when they consider any regulatory action.
So, while absolute compliance may be an intended aim, what organisations really need to focus on is the fact that they can demonstrate the thinking and the steps they have taken to be compliant. That is not to say that anyone will get ‘A’ for effort if no practical steps have been taken.
As Elizabeth Denham explains, there is no excuse when it comes to GDPR: ‘’There will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date…We all know what’s coming. It’s a known known. Much of the GDPR builds on the existing Data Protection Act 1998. There’s also guidance and a lot of help out there…’
SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, not on selling products.
SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.
VirtualCISOtm is proving a popular option for businesses which require broad levels of expertise to complement existing skill sets and roles in a flexible manner.
To find out where you are in terms of GDPR readiness, complete our free online GDPR Self Assessment Questionnaire.
To find out more about what SRM’s GDPR can do for you, contact Mark Nordstrom (firstname.lastname@example.org) or 03450 21 21 5https://blog.srm-solutions.com/are-you-ready-for-gdpr/1 or check out our website.
Or read our blog: