The GDPR is an Elephant…

Firstly, let me introduce myself. My name is Richard Merrygold, I have worked in data protection for 11 years, before it became a thing. I am not Lawyer. I don’t class myself as a “GDPR expert” but I am a data protection specialist, a realist and I like to think, a pragmatist.

After reading numerous articles, attending numerous conferences and speaking to countless numbers of people who are all grappling with the same challenges, I found that there is still a desire for simplicity and clarity around how to tackle the far-reaching requirements of the GDPR.

Now, as I said, I don’t class myself as an expert but I am a career privacy professional with years of experience in implementing real world, practical privacy solutions that work and what I have come to realise is; the GDPR is an elephant. Allow me to explain why;

An elephant is one of the largest animals known to man, it is majestic, agile, lives for a very long time, is extremely protective but most importantly, it is too big to be eaten whole.  

Then you have the GDPR. The GDPR is the largest piece of privacy regulation in a generation, possibly ever. The GDPR touches almost every single part of our modern digital world and effects countries, nations, people and organisations far beyond its Union based boundaries.

The GDPR harbours many requirements, some new, some old, some revamped but one thing should now be clear, there is no simple solution to compliance.

It is possible to write pages and pages about how to be compliant with the GDPR. I could talk for hours about each part of the regulation, why it’s important, what’s new, what’s old, what matters etc. but this is different for every organisation.

To be compliant with the GDPR, you need to decide what’s important for your business. You need to understand how your business operates, what data it processes and why. Then you need to break down the effects of the GDPR on your organisation into bite size chunks;

The body

The body is obviously the largest part of the elephant and consists of all the recitals, articles and associated guidance. Before you can start eating the body, you need to get to know your business and work out what parts of the regulation are likely to affect you and start there. If you undertake a lot of marketing, legitimate interest and consent could be very important. If you work for a healthcare company then identifying a lawful basis for processing special category data is key. If you carry out large scale research activities using huge databases of personal information then you may want to start by looking at Data Protection Impact Assessments (DPIA).

Whatever your business does, work out what is important, do it now because only when you know what’s important to your business can you start to work out how to comply with the GDPR.

The Legs

The GDPR should be viewed as an enabler, a way of moving your business forward rather than just another business burden. For instance, better quality data with more informed customers means they get the marketing they want to see and you achieve more sales for less expense and you reduce the risk of a data breach by holding less unnecessary information.

Yes, it’s going to require budget, resource and of course effort but if done properly, the benefits to your business will far outweigh the pains.

The trunk

The trunk is an elephant’s greatest tool. The greatest tool when trying dealing with the GDPR is to realise that much of this stuff isn’t really that new!

Some articles, like the right to erasure and DPIA’s are new additions, but even they have existed in some countries for a number of years. This means that you don’t have to rewrite the rule book. You can find a wealth of useful information, for free, from the ICO.  You can also attend conferences and seminars and most importantly, you can gain valuable insights by speaking to your peers and, where required, seeking the advice of specialist data protection professionals!

GDPR compliance is a journey, not a destination. There can be a lot to do and it can seem daunting but if you break it down into its component parts, it is achievable and most importantly, you are not alone.

Businesses are all in this together and we all have a vested interest in succeeding, so speak to each other, share ideas and ask those stupid questions.

However you choose to look at it, the GDPR is an elephant and it’s going to live for a very, very long time…