The business world won’t come to an end on May 25th 2018 as a result of the GDPR. Rather, firms will be obligated to continuously mitigate the risk of loss, unauthorised access, theft or misuse of all staff and customers’ personal data i.e. paper-based data and data stored on IT systems.
The GDPR isn’t about penalising firms or forcing firms to comply with draconian rules & there are benefits to be realised if a firm can show its customers that it respects their privacy.
Now the 28 respective EU Supervisory Authorities are unlikely to send an army of auditors out there to ‘catch’ firms that aren’t fully compliant with the GDPR on May 25th; they’ll be extremely busy dealing with actual breaches reported to them by data subjects.
Finally, GDPR Compliance isn’t a destination, it’s an ongoing journey – so my advice to firms remains to iteratively review your end to end data processing procedures and systems beyond May 25th and mitigate any risks identified; plus don’t forget to deliver tailored GDPR training to all staff, from the board (who are accountable for information and data protection), to your cleaning staff (who handle paper waste which may include papers containing personal or sensitive data).
May 25th – just another day in business.