In case you still haven’t noticed, the GDPR is approaching as sure as spring. Despite the anticipation, most organisations are quite comfortably waiting for the day to arrive. The consultant-forecasted GDPR panic never arrived, at least not in the way that we in the industry were expecting. I regularly meet various organisations to discuss GDPR, but these meetings are less frequent now that GDPR is only few weeks from becoming an enforceable regulation in the EU countries. This calm before the storm is like before a great sporting event – preparations are now done, and it’s time to see how we perform on the field.

What happens on May 25

In my brain I entertain this scenario that on morning of May 25 the black government vans roll in and inspectors in black suits come knocking on your door. They tell us not to touch anything that contains data and take it away for inspection with the hefty fines looming over our heads for even a hint of a GDPR infraction.

I may be an optimistic fool, but I somehow doubt that will happen. Although nobody knows for sure, just considering the scale makes that impossible. For example, in Finland the responsible authority for GDPR enforcement is the Office of the Data Protection Ombudsman. They have a staff of 20 officers for the whole country. In Finland alone, there were 283,563 registered businesses in 2016. Add the nonprofit and public organisations on top of that, and it’s easy to understand that resources are scarce and will limit the scale of enforcement. This is only my speculation. But similar to what tax authorities are known to do, they will most likely focus their resources on the worst offenders and take notice of reported infractions. Of course, the organisations that handle the most personal data and have a lot of public visibility will get the most attention, while your local snack shop’s frequent customer register is probably not the first choice for inspections.

The responsible authorities for #GDPR enforcement will most likely focus their resources on the worst offenders. Don't have them knocking on your door. #data #protection Click To Tweet

The state of preparations

When we started meeting customers a few years back, there were shocking differences in the approaches. Of course the industries most heavily afflicted with mounds of end-user customer data, like telecommunications, media and finance, have worked for years to ensure compliance with the new regulation. Some smaller organisations that we’ve met with may have taken the path of least resistance and see GDPR only as a reporting exercise. Some even have decided to do nothing and are waiting to see what happens. SAS conducted a survey on the state of GDPR, so if you’re interested to see how your peers are approaching GDPR, you can read the white paper.

See how your peers are approaching GDPR, read this white paper.

In my opinion this is a natural progression, as large organisations can afford dedicated teams to assess, plan and execute a GDPR readiness project. Smaller shops often have an already overburdened CIO who, in many cases, sees GDPR as one more unavoidable hassle ruining his day. Adding to the pain is the problem that many cross-national legislations have a level of ambiguity as to what will actually be required to fulfil the letter of the law.

 But what now?

As we all wait for the big day, happily the officials have also reacted to the need for more precise information and best practices. A good place to find up-to-date information is the European Commission’s Article 29 Working Party. They are an advisory office and act independently of the European Commission. I had a look at their collection of Guidelines, and there is some good advice on how the regulation is meant to be interpreted for some of the particular topics like data portability, role of the data protection officer and data protection impact assessments. Of course, the national data protection offices provide similar advice on their own sites well worth familiarising yourself with.

In our field of managing data, I have many times heard the saying, “Anyone can build a data warehouse, but few can live with it.” This has a resemblance with your approach to the GDPR. When setting up new ways to govern your data, make sure you build something that you can live with. GDPR is not the end of all things. Yes, it takes work and careful planning to become compliant, but on the other hand, you will end up with a better governance model and the ability to utilise your data assets to their full extent.

SAS works to help organisations with their data and provides solutions to access, identify, govern, protect and audit their personal data. Find more information on our SAS for Personal Data Protection website.