Six months passed since the entry into force of the new EU Regulation 679 and about a year since the alignment of the GDPR has become an extremely active topic. End of May was a turbulence period, culminating in the avalanche of e-mail statements and consent requests. After that the agitation has gradually calmed down. This can be GOOD if we assume that people have understood what it is about and started alignment. But reality shows us that this assumption is NOT TRUE. Reality is different and this is NOT GOOD.

Everything goes from managers

The starting of alignment projects is organically linked to a managerial decision. Nothing can be done if management is not convinced of the importance of the subject. But understanding the importance is not everything. Management must conduct the start of activities, set up a team, delegate a responsible person, and especially plan resources. This means to get involved.

Any business analysis or audit that is the first step in conducting a compliance assurance project is a function of the managerial engagement level. Are the managers directly involved, participate in discussions or delegate a trusted person to handle everything?

What situations could be actually encountered? All the implementation steps undertaken so far have in most cases been the impetus of external pressure and quite little and rarely the result of a real management conviction. Unfortunately, there are still many managers who consider GDPR:

  • a stupidity,
  • a simple bureaucratic exercise,
  • a threat with huge penalties that will never endanger our organization,
  • a lot of money thrown away.
  • an extra headache that can still wait
  • a great bluff, no one has been fined so far
  • none of the buddies or partners did anything for that, and nothing happened to them
  • those who hired a consulting firm gave the money for nothing because they had to do it all alone …
  • something totally useless. I only work with business data. These are public data, not personal

And the list could go on well and well…

What needs to be done

It’s never too late to start. Anytime you can begin alignment exercises. Here are some tips for managers:

  1. GDPR MEANS ALL – It’s not a stupid thing. Any organization, association, or licensed natural person carries out an activity in which it acquires some personal data of its clients, partners or employees NEED to be compliant with to GDPR.
  2. THE SIZE DOESN’T MATTER – Whether we have a company with 10, 50 or more than 250 employees, whether we are a micro-enterprise, an NGO or a professional association, whether we manage an association of tenants or that we are an independent consultant, dentist or specialist blogger,  WE NEED GDPR. Of course, not all of us need all procedures and policies. But there is a core of activities and measures that are mandatory for any kind of organization. We cannot avoid this. WE HAVE TO BE PREPARED.
  3. GDPR MEANS ACCOUNTABILITY – We are responsible for our personal data. For our employees. For our customers. For our partners. We do not do that expecting the inspections of the Authority, nor as a mere bureaucratic formality. We do it for our sake and the community in which we live and work. WE ARE RESPONSIBLE FOR OUR RESPONSIBILITY.
  4. GDPR IS MORE THAN A SIMPLE PROJECT – More than an IT solution implementation. More than a bureaucratic review of documents from a different bureaucratic perspective. It is an assumed, documented and permanent action that involves decision-making, policy making, the adoption of procedures, but especially a team action in which we have a triple involvement: PEOPLE, TECHNOLOGY, PROCESSES.
  5. GDPR IS A PERMANENT REQUIREMENT – It’s not just a push-on, a punctual activity, or an implementation of procedures after which someone gives you a degree. It is a permanent exercise, a mandatory business requirement for the entire business lifecycle. In order to maintain an optimal level of compliance, we need to act continuously, to remain within certain parameters.
  6. GDPR IS AN EFFICIENT INVESTMENT – No money is discarded. No one forces us to make all purchases at once. A risk analysis can help create plans to rectify the possible sources of incidents related to personal data loss. We focus on what’s more important now and we’re making an effort. A budget allocated for the next financial exercise will help keep the balance. There are many reallocating budgets possibilities when we became aware that WE MUST HAVE THAT.
  7. TRAIN YOUR PEOPLE – Learning is not a shame. It’s a permanent need. You don’t understand exactly what this is about and you don’t have time to bother your head. Participate in a one-day or two-day GDPR training session. There are already dozens of courses that offer this. You can do it online from your desk or your home armchair. You will see what it is about. You will understand why it is important. YOU WILL REACH THE RESPONSIBILITIES.
  8. PREPARE A DATA PROTECTION OFFICER – Even if the law does not oblige you to hire or appoint a DPO, many aspects of GDPR adoption require the skills of a person who has undergone a DPO training. Do not wait for the certification issue to be solved. There is no waiting time. You do not need diplomas, but (at least) someone who knows where to start, with whom to start and what to do.
  9. WE NEED GDPR CULTURE – This is respect for data. Permanent training of employees. Testing the effectiveness or efficiency of existing procedures. Adaptation to change. GDPR will undergo changes over time. Verify compliance with related regulations such as Privacy or NIS. GDPR compliance becomes permanent, just like internal regulations, fire protection, or escape measures in case of natural disasters. Protect your data! Put a post-it on the door where it says: “Turn off the light!”, “Check the gases!” or “Activate the alarm!”
  10. GDPR IS AN OPPORTUNITY, NOT A CALAMITY – Look at alignment efforts as an investment in efficiency. As a first step in the digital transformation of the organization. As a trusted label to your employees, customers, and partners.

It depends only on us. It is our responsibility as managers. GDPR compliance cannot be ensured without our involvement and the entire organization. We depend on how we apply the procedures recommended by a consultant. It depends on us how we assimilate policies and how we make sure people respect them. We depend on the health and efficiency of our business. We depend on how we can turn compliance into a competitive advantage.