GDPR – Failure is Not An Option

If your organisation is like many who trust bought-in data from unknown sources, it’s time to think about how you will manage this in light of GDPR – or suffer the consequences.

GDPR is coming, but are you ready?

The latest GDPR information is due to be published in mid-December, causing panic and a rush to delete data or re-check permissions for many firms.

The aim of GDPR is to protect individual privacy rights and ensure data breeches are reported quickly and dealt with effectively.

Data Protection laws are nothing new. They have been around since the eighties with current Data Protection legislation tracing its roots back to the mid-nineties.

Although the proposed GDPR legislation goes further than ever before and will require huge resource, it is an evolution of current Data Protection and Privacy laws, not a revolution.

With this in mind you would imagine it shouldn’t cause problems if companies are already compliant with Data Protection regulations, so why is it that many organisations are choosing to stick their heads in the sand and view GDPR as just a ‘marketing’ problem?

The key to understanding the challenges posed by the upcoming changes lies in the fact that some decision makers simply aren’t aware, or have failed to see the knock on effect the change in legislation will have on HR, L&D and IT.

To put it simply, GDPR is the single biggest challenge facing business today – whether organisations know it or not. All employee, delegate and customer documents past, present and future will have to be stored securely, provided when prompted and ‘forgotten’ if an individual asks for their data to cease being processed.

This will then require a system which can distinguish between the level of data held, where it is located and how it can be accessed and provided in a commonly used format for both staff, delegates and customers. When you consider the amount of big data held on the systems of large firms and conglomerates, the size of the business challenge becomes apparent.

The L&D Challenge

With regards to L&D, similar rules would apply, meaning fair processing, storage and use of diagnostic and skills assessments would also fall under scrutiny – not to mention the data shared with third parties through LMSs held on external servers and delegate data needed to facilitate App learning.

IT Implications

IT professionals will have their work cut out too, as they may want to consider their approach to the ICO’s suggested multi-level permission and usage structure, aimed at allowing only relevant updates to reach individuals. The architecture and reengineering of current systems and databases to meet this requirement alone is enough to make you dizzy.

By May of next year organisations will have to decide on the lawful basis for data processing – be it claiming legitimate interest or a ‘hard opt-in’ process to comply with GDPR. To put it bluntly, if you use and store data on an individual they must give you explicit consent to process that data and you must be clear about how it will be used.

HR & Recruitment Considerations

Current thinking would suggest this means HR teams would have to delete that data, however, this only applies in circumstances where employees are able to exercise the ‘right to be forgotten’.

Similarly, when signing a new contract with a firm or processing delegate information, companies will need to have new employees and delegates emphatically opt-in so that their data can be processed. The idea of a ‘soft opt-in’ within a contract is no longer an option under GDPR.

Policies and procedures should be transparent, detailing where data will go, how it will be stored and how data subjects can retrieve it should they wish to. There is talk of removing the current £10 Subject Access Request fee, which would mean administration time in processing requests is at the expense of the company tasked with fulfilling it.


However much work an organisation has to do, GDPR certainly isn’t going to go away. Top line fines for non-compliance are significant; those who breach the new rules could be handed a bill for €20million or 4% of global annual turnover – whichever is greater. Although these headline figures are shocking, lesser infringements would be met with a lesser penalty.

Focus on Risk

With this in mind the UK Information Commissioner has highlighted that businesses should focus on their areas of risk, rather than the penalties of non-compliance. With only 52% of firms beginning to tackle the issue of GDPR, many still have a long way to go to achieve compliance.

MDs and CEOs should see GDPR as an opportunity to create a database of accurate information which gains greater staff, customer and delegate engagement in the long-run.

With the deadline for compliance looming and many businesses still unsure about how to tackle the issue of GDPR, it is clear that it will continue to be a hot topic for many as the debate about how best to clean up thousands of pieces of data will rumble on.

What Next?

Whether you need to take big steps or small steps to be fully compliant, acting now to clean up current CRMs, databases and policies will stand businesses of any size in good stead.

With so many myths about GDPR it is best to get it straight from the horse’s mouth, so to speak. In this case, if companies aren’t already checking the Information Commissioner’s Office (ICO) website for updates, they should be.

Making key decision makers aware of the move from current legislation to the new requirements and the work involved will help them to see the whole organisational impact of the new law. Those who don’t know where their information came from, who holds it and who they share it with, will need to organise an audit and change their processes to satisfy GDPR.

Updating privacy notices and policies to detail the lawful basis upon which information is held, and providing clarity as to the rights individuals have over data, how it can be deleted or ‘forgotten’, will pose interesting operational and procedural challenges.

Perhaps the key to any organisation preparing for GDPR – be it focused on employee data or individuals – is to quickly review how they seek, record and manage information to identify areas of risk.

If this is already happening then there will be little to do to prepare come next year. If your organisation is like many who trust bought-in data from unknown sources, it’s time to think about how you will manage this in light of GDPR – or suffer the consequences. Ostrich syndrome and failure to comply simply isn’t an option.