The clock is ticking on GDPR but time’s not up

Panicking about GDPR? Here’s what you can do to improve compliance in the time you’ve got left.


Our resident GDPR expert, Dominic Johnstone, Head of Information Management Services, talks about what you can do if your journey to EUGDPR compliance is  just beginning.

May 25 is the point at which companies can be fined for non-compliance, it’s not a finish line. As Dominic points out, “It’s not as if you can forget about this on May 26th. This is a switch-on date and, from that moment on, the world changes.”

Confused, panicking about GDPR?

If your company hasn’t made a start by now, you certainly haven’t missed the boat. As Dominic explains, proof that you’re actively engaged in change may be enough to mitigate fines. “If you’re not taking this seriously and you get investigated, you’re going to have to go the high-cost route to compliance,” Dominic warns. However, “If you understand where you’ve got to be and the program of work, then the authorities will give you time to put things in place.”

So, you’re committed to getting GDPR sorted; where do you start? The first stage for any business is a risk and readiness assessment. Risk is all about the kind of business you are and readiness is the process of determining your current level of compliance and the things you need to do to develop compliant processes.

“You’ve got to know what you’ve got,” Dominic says. “Every business needs to be aware of the type and the volumes of personal data they’re holding. The size and complexity of the organization and its data processing systems is also important.”

This is often a disturbing voyage of discovery for businesses that have not made proper information governance part of their everyday practice. Dominic gives the example of a law firm that saves all their past cases on CDs stored in a vault. If GDPR gives their former clients the right to be forgotten, Dominic wonders what that law firm will do about the data: “There are hundreds of clients on those CDs; how is just one going to be deleted?”

Once you know what you’ve got, you’ve got to have a good reason to keep it. “What the key principles of GDPR really boil down to,” Dominic explains, “is understanding the legal basis for why you’re holding information, having the correct permission to hold it and having the capability to fulfil the right to be forgotten.” One of the key changes to the law, Dominic adds, is that all of these processes are testable. “You need to have evidence that you’re doing it,” he says.

Don’t think you’re alone if this all seems overwhelming and if you haven’t started. To clients requesting a risk and readiness assessment at this late stage in the day, Dominic is able to say, “this is where you are now, this is where we think we can get you to by May and this is where you need to be in the long run, which could be a two-to-three year program.”

The reality, Dominic says, is that most large organizations will have a program in place by now, but they won’t necessarily be compliant yet. If you’re company’s just getting round to GDPR, contact Crown Records Management for a risk and readiness assessment. Even if you can’t reach complete compliance by May, you’ll have started your journey and have evidence to prove it.