Is it possible to achieve GDPR compliance in just one click?
The simple answer is – no. Despite the number of charlatans out there, claiming that there is a one size fits all solution, I’m afraid it’s not that straightforward.
Don’t get me wrong, achieving GDPR compliance needn’t be overly complicated, and it’s certainly not as scary as you may think. However, it’s important to be aware of the scare tactics that may blur facts from fiction. Here, we take a look at a few of the ones we’ve witnessed:
“You need to buy this, or you will risk fines of up to 4% of your annual revenues”
It is true that your organisation could be fined up to 4% of annual turnover, or up to 20 million euros (whichever is greater), if you were to fail to comply with GDPR and suffer a data breach. However, this does not mean that one product or solution (that will most likely break the bank, dare I say), will solve all of your problems. Ensuring GDPR compliance is a journey not a destination, so it’s important to put some time and resource towards it.
“It’s just the large fines that you need to worry about…”
Indeed, there is a real risk that your organisation could face a crippling fine if you were to suffer a data breach. Nonetheless, it is also possible that you as an individual could face internal disciplinary action, or even, in exceptional cases, a criminal record. In addition, it’s important not to bypass the potential significant reputational impact of your organisation, that could lead to compensation claims. Everyone is responsible for ensuring compliance with GDPR.
“Just buy lots of IT…that’ll solve all of your problems”
GDPR is more than just an IT problem. For example, employee awareness training is often something that is overlooked when, in fact, over 90% of incidents involve user behavior, rather than a lack of IT measures. Left untrained, your employees present the biggest risk to your organisation. Ask yourself, who is responsible for the data processing activities that your organisation undertakes? Your employees. Do your employees know what the GDPR is? Put simply, GDPR employee awareness training must not be disregarded, as it is a cost-effective solution to evidence your organisation’s compliance.
“If you haven’t prepared for GDPR yet, it’s really bad… but becoming GDPR compliance is as easy as buying X, (oh… and Y and Z)”
If we’re honest, GDPR is not a revolution. If you’re already compliant with the Data Protection Act, you’re most likely nearly there. Whilst the GDPR is something that should be taken seriously, after all, it is a law; ensuring GDPR compliance is no doubt an extension of what you should already be doing.
Unquestionably, you have most likely been harassed by various self-proclaimed GDPR ‘experts’ who recommend you start by purchasing product after product to solve all of your problems. Yes, GDPR is a project of work, but surely £10,000 coming off the bottom line isn’t the best place to begin?
Despite what people may say, establishing GDPR compliance is a marathon, not a sprint. There is not one solution, or even two or three solutions, that will guarantee that every organisation is compliant.
As a starting point, it’s a good idea to conduct a data audit for your organisation. Consequently, you will then be able to gain a true understanding of all the different types of data your organisation holds, where you hold it, and what it is used for. Ultimately, all organisations differ from one another, so it’s important to take this into consideration when thinking about how to comply with GDPR.
But, what will this cost me?
You’re right in thinking that data audits can be pricey, and you may not have room for this in your budget. However, have you considered conducting a data audit yourself? It needn’t be as complicated as people may make it out to be.
So, you’ve conducted a data audit, what happens next?
After identifying the types of data your organisation holds, where you hold it, and what it is used for, only then would it make sense to move on to looking at your systems and processes.
This ensures that you are focused on what your organisation specifically needs, which as a result, gives you the best guide as to how to protect your data, whilst ensuring you do not over spend where it is not necessary to do so.