Posted on November 23, 2017 by staff

GDPR compliance requires a company-wide approach


With the General Data Protection Regulation enforcement date fast approaching, it is becoming more important than ever to prepare your company for the new legislation.

Few businesses today are unaware of their obligations under the looming General Data Protection Regulation legislation. The Information Commissioner’s Office, top lawyers and IT specialists, in particular, have been effective at getting the word out.

Even small businesses understand that from 25th May 2018 GDPR aims to return power over information from companies to Europe’s citizens, giving them the right to world-class protection while their data is being meaningfully used, along with a right to its eradication thereafter.

But achieving GDPR compliance is proving challenging. Nick Richards, CEO of e-learning provider Me Learning, says there are two key issues.

“First, many companies are focused on the May 2018 deadline. They are working on the systems or process upgrades, which will allow them to inch past the deadline successfully,” he told BusinessCloud.

“But making a business compliant in the long-term requires more than resilient policies and processes. Unless they are relevant, applied and understood at all levels of the business, you’re likely to veer off course.”

A good example is the NHS – typical of an organisation with financial and delivery pressures, a huge user of data and staffed with people of different degrees of technical ability.

“Whatever the sentiment, it’s the reality that matters. Organisations need to somehow find the time and resource to get every member of staff GDPR-aware and ready,” he added.

Richards says that businesses of different sizes need to approach GDPR in different ways. For example, small businesses may not be able to afford to buy in skills or find time to devote to the GDPR.

Meanwhile, mid-sized businesses have more people and resources, but more complex systems and processes to audit. Additionally, smaller businesses are also less likely to have an in-house data protection officer to guide strategy.

“Again, it’s as much a people and skills problem, as a policy and procedure problem,” said Richards.

Me Learning has produced e-learning materials in four tracks: for board-level sponsors, for GDPR leads, for data workers and for all employees.

It says this means the cost of achieving breadth of knowledge is minimised while teams are better able to collaborate on new, GDPR-conscious ways of working.