Taking the 'ARGH' out of GDPR

Taking the 'ARGH' out of GDPR
Promoted by Taking the 'ARGH' out of GDPR

For many people ‘GDPR’ is fast becoming a new curse word, while for others it’s an inevitable can of worms they would rather keep on their procrastination pile.

In an attempt to understand and redeem the word, we spoke to some GDPR specialists to help us turn this frog into a fairy tale prince. 

We spoke to:

  •  Dave Devloo (DD) – Lawyer and Data Protection Officer at Devloo Solicitors (Belgium)
  • John Crich (JC) – GDPR Consultant at GDPR Consult
  • Joel Bravette (JB) – Associate Partner Joseph & Co Consulting; Consultant at Easygdpr

Q: Are there any hidden opportunities in GDPR?

JB: The human side of GDPR will be equally as important as the data. Effecting culture changes across organisations with regard to how we collaborate, how we protect our businesses and how we incorporate new methodologies will be pivotal in the future of employment. It will take more than a morning group session in the conference room, but may have a much wider impact than we think.

DD: Absolutely.  Through GDPR-compliance projects companies get a much clearer view of their own processes; including who in the company collects data and what kind of data is collected. This in turn often leads to improved organisational or cost efficiencies and better or combined data management between departments.

JC
: There are definitely opportunities hidden in GDPR, ranging from simply gaining more control of your company and customer ­data to more subtle improvement of your brand presence.

Q: What should I expect GDPR-compliance to cost my company?

JB: This is inherently a trick question because not only is it dependent on what your company does and what processes are employed to achieved this, it is also much more than a ‘throw money at it and it will go away’ type of compliance. Contrary to some popularised beliefs, the biggest threats to our data systems are not malicious hackers’ hell bent on bypassing your firewalls, but more often careless and negligent employee behaviour that invites opportunism. The average employee is often an unwitting data breach because they have never been appropriately trained in basic data security. 

Q: What are the three most important things to do when implementing GDPR?

DD: I can easily think of 10 important things to do, but my top 3 would be:

  • Create awareness of GDPR in your company and among your employees. Make them aware that there are obligations and rights involved when dealing with personal data.
  • Start a data register in which you make note of all your data processing activities and processes. This will give you a clear overview and allows companies to identify high risk areas or gaps that need filling.
  • The accountability obligation: keep a trail of evidence, a sort of GDPR road map for your company. For example, if you’ve taken a course or training, put your certificate in the folder. Have you put extra security measures in place? Update it in your GDPR folder and keep everything in one place.

JB: My top three are:

  • Understand your business and all the permutations that involve communications with third parties both inbound and outbound.
  • Create a protocol for the archiving, transition and deletion of all communications as appropriate for the nature of the data.
  • Understand the human factor regarding data security and act accordingly. Your business is as strong as the weakest link.

JC: I would suggest that all companies:

  • Engage their senior management to create buy-in.
  • Engage with a GDPR specialist to run a gap analysis in order to understand their current position.
  • Build a GDPR plan and execute it.

Q: Finally, what is the one piece of advice you would give companies regarding GDPR?

DD: As a lawyer and data protection officer I mostly tend to look at GDPR in terms of what to do when it goes wrong. It is my opinion that (especially large) organisations can never be fully GDPR compliant and that it is more important to show that you are making every effort to do so. By that I mean that you should always be able to provide proof that you have and are continually protecting the rights of the ‘Data Subject’. Obviously I can’t make any guarantees, however this should stop you getting fined and limit consequences to constructive feedback from your local Data Protection Authority.

JC: My one piece of advice would be to take GDPR seriously. Understand your current position, build a plan to become compliant, budget realistically and start to execute the plan.

JB: I think I can only re-iterate my point regarding the human factor of GDPR compliance. Every employee needs to have a basic understanding of the new digital age in which we operate and be equipped to take suitable precautions accordingly.


Beyond all the rules and regulations, it’s important to look at GDPR as an opportunity as well, as a chance to create an in-depth understanding of your business and to delve deeper into your existing business processes. You may not be ready to shout “long live GDPR” yet, but don’t settle for doing the bare minimum without considering all the potential benefits GDPR can bring your company!

 

Contact us


More Insights