Your GDPR “Un Readiness” Assessment is Done. Now What? Time To Outrun the Bear!
March 22, 2017 – Scott Meyer
Under 450 days to go until the May 25th, 2018 GDPR Compliance deadline.
Preparedness levels are all over the place. Yet the clock is ticking. In case you were wondering if the regulators are serious, here are two data points from the UK Information Commissioner’s Office worth considering:
- The Information Commissioner’s Office will expand its roster of investigators, lawyers, analysts and policy advisors by 40% in the next two years as it prepares for the country to adopt a “once in a generation change in the law”. It will mean around 200 new staff joining the watchdog.
- “You can’t dress something up as consent if it’s not consent.” — Steve Wood, Information Commissioner’s Office Head of International Strategy & Intelligence at the IAPP’s Data Protection Intensive
Yeah, they are not messing around…time to get on it.
The first and most logical step is to get a GDPR Readiness Assessment done. There are plenty of ways to do it. You can download a free tool, follow a well-established outline (we like Nymity’s), or invest the time and money with a law firm or consulting shop. All of these are good options.
The concept of “Readiness”, however, is sort of a misnomer. Rather, the assessment will be an “Unreadiness” Assessment. It will be discouraging, especially when non-compliance with GDPR carries the starting price tag of €20 million up to 4% of global turnover. I can’t emphasize enough that this isn’t an IT responsibility, nor is it a Privacy responsibility nor a Marketing responsibility. Rather, it’s a company responsibility.
Citigroup’s GPS unit just published the very best report on GDPR and ePrivacy issues to help understand, in pretty plain English, what your company should focus on. You must read it if you are in this space: “ePrivacy & Data Protection: Who Watches the Watchers? – How Regulation Could Alter the Path of Innovation”.
Vivienne Artz, Citi’s Managing Director, Head of International Privacy for IP & O&T Law sums it up best:
“GPDR has taken the issue of data protection and e-privacy from somewhere in the bottom 20 of issues that corporates worry about and spend time on to somewhere in the top 10.”
I proposed a framework in my last post: GDPR Compliance Is A Lot Like Car Maintenance. Now it’s time to force-rank projects as you head into 2018 budget season. It’s only the middle of March 2017. Yet any corporate executive will tell you, 2018 budget season is just around the corner. The sooner you know what you need to ask for and how much it will cost, the better.
PwC’s recent Pulse survey of 200 CIOs, CISOs, General Counsels, CCOs, CPOs and CMOs from US companies with more than 500 employees drove the importance home: 77% plan to spend $1 million or more on GDPR. The study notes: “Securing a $1 million budget for data privacy has been more an exception than a rule for many American corporations. The GDPR’s potential 4% fine of global revenues, however, has changed budget appetites for mitigating this GDPR risk. While 24% of respondents plan to spend under $1 million for GDPR preparations, 68% said they will invest between $1 million and $10 million. Another 9% expect to spend over $10 million to address GDPR obligations.”
A basic weighted-average spend calculation of the above gets to an average spend of $4.5 million per company. That’s serious money, which I shared with eMarketer recently.
Now the question is where should it go? I propose a simple philosophy:
Or in other words, what is a minimum passing grade vs. being first in the GDPR compliance class? The nature of the changes required by the GDPR are so vast, there’s no way a company can reasonably be 100% compliant in time. That’s where the “outrunning the bear concept” comes in.
The UK’s Direct Marketing Association just published a survey of its members that gives some clear indication of the priorities for marketing changes are: Consent.
The regulators will be looking for clear signs that your company is compliant on May 25th, 2018. They are the bear. So as they look at the lineup of equally tasty “campers”, think hard about what allows you to first outrun the others. Start there, and then prioritize the rest of your GDPR efforts.
I think you’ll be surprised. The multimillion dollar Master Data Management proposal may look a lot less interesting than getting your consumer consent solution up and running. Having a DPO designated with a plan that can be shared readily with regulators is probably smarter and a whole lot less expensive than trying to re-write all of your middleware to get every silo of personal data digitized and available at a moment’s notice.
Budget season is coming. So is the bear-avoidance season. Time to get your running sneakers on!