Marinette Nyström interviewing Casper Pedersen, Principal Business Solutions Manager
The EU’s new General Data Protection Regulation (GDPR) was approved in May 2016, and companies must be compliant by May 2018. Research shows, however, that fewer than 30% of companies impacted are prepared for it. I had a discussion with Casper Perdersen, who recently starred in a 2-part video series on the subject, about what the key steps for implementation should be.
What do companies need to do to prepare?
Casper: "Many companies don’t know where to start with GDPR implementation. To my mind, one of the best starting points is the information available from the EU itself, because there is a useful Q&A and some helpful advice."
Once companies understand what’s required, what do you think is the best starting point for action?
Casper: "Part of the paralysis is because they do not know where they are at the moment in terms of compliance. I suggest that companies should start by assessing their current position against the new regulations. They need to understand where they are now, and then they can identify the key gaps and risks. Only once they know which are the biggest issues can they start to priorities actions to address them."
So companies should be assessing all their current data handling and management processes and procedures against the new regulation?
Casper: "They need to be looking at every single data system and process within the company. This sounds like a huge task, but unless companies do this, they won’t know where they might have problems. They need to identify potential non-compliance risk so that they can start to manage the risks and prioritize activities in an informed way. As a starting point, if there are more than 250 employees, they will need to appoint a Data Protection Officer. As always, without C-suite buy-in, it’s just not going to happen. GDPR is often seen as a legal matter, but it’s not. It’s very much a business issue, especially with the potential impact of getting it wrong. The Data Protection Officer is an important role, but the importance of taking responsibility is a company-wide effort."
I have heard you put successful compliance in the context of culture. How so?
Casper: "That’s right. Companies need to create more awareness of the use of data, and especially the requirements for privacy. GDPR implementation needs to be driven by executives, but it has to spread right through the company. Some people see it like a stick of rock, with ‘privacy’ written right through. It’s quite possible for companies to provide staff with technology that enables them to work with data in a safe way. This technology could be used to help them to identify personal data, as part of their initial assessment process. We know that a lot of companies are starting from a very low base, though, so it will be hard work."
There seems to be a real issue about how companies identify personal data?
Casper: "It is the first time that many companies will really have to engage with this. The new regulation goes further than previous data protection regulations, because it covers pseudonymous data as well as data with clear identifiers. Many companies are not even aware of how much personal data they hold, or what it is used for by various departments. There is software available that will crawl through files, and look for personal data: effectively, a personal data ‘sniffer tool’, and many companies could benefit from using this type of tool."
Sounds like smart technology could really help to find and identify personal data?
Casper: "Correct. We could learn from banks, because data governance is key to some of the financial reforms we have seen since 2008. An approved certification process could help to identify personal data: both where it is, and where it is used. It would also help to monitor compliance and the processes used to protect data. This might be one of the key actions identified to help manage risks."
There are plenty of challenges on the way.
The key is to start working on it early, to understand the risks. That’s probably the most important action of all: just to take GDPR seriously.
Here you can watch Casper on two videos sharing his insights:
The new EU Data Protection Regulation - What does it mean?
Steps needed to comply with the new EU Personal Data Protection (GDPR)