Before 25th May, I heard a lot of companies saying that GDPR was going to be the next Y2K. Mostly, this was then followed up with an excuse as to why they weren’t investing any time or effort in preparing their business for the new law.
Four months have passed since 25th May, and on the surface, it is looks like GDPR has had as much impact on day-to-day operations as the imaginary millennium bug did to our Windows 98 computers.
Why has GDPR had such a small impact?
12 weeks on, GDPR hasn’t had much of a noticeable impact. In my opinion, there are three clear reasons:
- The ICO are slow
- The general public couldn’t care less
- Companies are choosing to run at risk
The ICO and GDPR enforcement
Let’s take these one at a time. I’ve said that the ICO are slow, but is this necessarily fair?
Well, we know that they aren’t the quickest at investigating complaints, they never have been. When GDPR came in to force, new rules governed how quickly companies must report breaches to ICO (72 hours) and how quickly companies must respond to SARs (30 days).
There is, however, no guidance on how quickly governing bodies such as ICO must do anything about said breach reports or complaints in general.
That isn’t surprising, because every complaint comes with its own level of complexity so putting rules around investigation times would be unproductive.
This doesn’t mean that the ICO are doing nothing though. There have been a handful of high-profile complaints made, and even more low-profile ones.
Bupa fined £175,000 for failing to keep customer data secure.
— ICO (@ICOnews) September 28, 2018
Considering we have only been under the new rules for 12 weeks, we can expect to see some of the first resolutions come into force towards the end of this year.Mis-reading the lack of GDPR action from the ICO as a permanent state and ceasing data privacy improvement work is a dangerous mindset. #GDPR @ICOnews Click To Tweet
The general public don’t care about GDPR
My second point was that the general public don’t care about data privacy.
The ICO did a mediocre job of communicating GDPR to the general public prior to May 2018.
The Facebook/Cambridge Analytica story was perfectly timed and as I spoke to people out in the street, in the pub, in restaurants, or as I delivered training courses, it was clear that interest had started to peak in how the new regulations would impact day-to-day life.
Then came the lawyers, who wisely(!) advised their clients to email all of their data subjects in May, and within 3 or 4 weeks all of the good work done by ICO was undone.
GDPR went from being a shining beacon of hope that companies would be forced to respect our data, to being an inbox-filling annoyance. And just like that, all public interest disappeared.
This is a big problem for the ICO, who are almost totally reliant on the public to police UK companies and report concerns to them for investigation.
Just to prove my point, the story about Facebook’s big 50m record breach this week stayed in the BBC’s top ten read news stories for less than 3 hours before being replaced with other things.
Companies are choosing to ignore GDPR and run at risk
The last point – companies have chosen to run at risk.
Last week, we attended an exhibition for the Hospitality industry in London and I was scheduled to do a half hour talk on how GDPR has impacted the industry to date.
It was unlikely that the seminar room was going to be full, but what I wasn’t expecting was an empty room.
Zero turn out. Yet that’s what I was presented with.
On speaking to a few exhibitors and delegate afterwards, the overwhelming response was that GDPR was a huge waste of time, because nothing has changed since it was enforced.
Now this is clearly not a reflection of ALL UK companies. There are some that have done great work towards improving the way they protect personal data and those will reap the rewards.
There are then those companies who started with good intentions, but not bothered enforcing operational change, and finally those who have done nothing.
There is a certain amount of responsibility sitting on the shoulders of wave of fear-selling “GDPR consultants”. When companies purchase a service or commit to change based on fear alone, then they will lose interest very quickly if the fear isn’t realised.
What should businesses be doing about GDPR?
Be patient and keep working on improvement.
The regulation is law, and whether you think it’s important or not, it is not optional.
Keep talking to your employees, customers and suppliers to make sure you’ve covered all areas of personal data protection. It’s time now to start implementing operational change and find solutions to make your life easier.
Remember – compliance is everybody’s responsibility and there are no one-stop-shop software solutions out there to do it for you. There are, however, some great solutions (old and new) that will save you time and money in specific areas.
Capterra has a great list of GDPR compliance software to help you with everything from sensitive data identification, to incident management and consent management. It’s a good place to start if you’re looking for a tool to help your compliance needs.