The baby has become a toddler
On 25 May 2019 the General Data Protection Regulation (GDPR) will be three years old.
The baby has become a toddler, and we all know how toddlers can be. Like most new parents the last couple of years have not quite been our own as each have wrestled to adjust and pay appropriate attention to what it may mean for us. The preparation was energetic as was the arrival. The naysayers, overreaction and general panic have sent over 330,000 of you to the ICO, the compliance equivalent to 999 for an anxious parent. “Please help me, someone has dropped the baby”. “Calm down” comes the reassuring voice, noone is coming to take your baby “what exactly do you think you have done wrong”.
I opened this summary with the above analogy aware of just how hard it has been to ignore the paradigm shift that has been felt within global business, particularly here in the UK and across Europe. In Jan 2018 almost no one knew what GDPR was let alone data protection, now however, even my Nan knows! The general feeling right now, is one akin to a sleeping toddler, all is calm for the moment. More on that shortly.
MoJoU has been a compliance focused business since 2015 and worked historically with the Data Protection Act 2000 which is now 2018. We focused on PCI-DSS working with industry Innovators such as Silver Lining. Working to support those complying to the E-Privacy Directive, soon to become e-PR. Those wanting to invest in ISO 9001, 14001. Those looking at security frameworks from Government supported Cyber Essentials to 27001. Those wanting support in Health & Safety & MiFFID II. Right now their is a push for sanity checking and training as clients settle down to a new pattern of living with this new child.
Our focus has always been to offer independent consultancy based on our expertise, industry guidance or legal regulation that suited where the client is, or perhaps is not. The ongoing challenge for companies navigating & adhering to contextual changes within their own respective industries still varies in demand, complexity and interpretation. Hindered I think by a lack of standard. Despite GDPR compliance generally across many disciplines is becoming more routine. The complexity comes in navigating across compliance disciplines. For us, doing any of these pragmatically, limited, and scope based is always a core pre-requisite, one that requires continual adjustment and makes complete commercial sense even if it is not always obvious.
The damage done to the industry I adore has been felt by all those, who like me have been at it for years! I have nothing against most legal firms, but many clients have been stung by poor and expensive Data Protection guidance and advice. I have learnt that clients place a lot of trust when it links to high fees. Others have succumbed to the influx of opportunists and low compliance costs, fear and fudding. Many of them have now paid over the odds as projects drag or need realignment. You do get what you pay for as this image portrays.
So, what now. It is safe to say that Compliance is always going to be a journey, not simply a destination. Changes are required by most organisations via the differing disciplines that pepper our respective landscapes. These will only ever evolve, much like a growing child. A failure to correctly comply could have wide ranging implications. Yep, there is the threat of service restriction, monetary fines, brand reputation, loss of confidence & business but the simplest cost is time. We each only have the same amount of time in one day and how we spend it is down to us. Why take 6 months when it can be done in three for half your time!
Working with an industry expert whose finger remains on the pulse of change may be the most cost-effective strategy to ensure you comply simply. Think of us as a trusted adviser who sits alongside you, whispering appropriately into your ear to empower you. Or to maintain the child analogy we are like the nuns from call the midwife that rescue you from a breach birth!
So what does the UK Information Commissioner say?
Regarding GDPR Elizabeth Denham recognised the emerging toddler and recently said, [and I quote,] ‘We are implementing a new stage in the GDPR. This will move us away from seeing it just as a tick box exercise, and instead driving it to become a cultural and business fabric of the organizations ethical accountability’ 8th April 2019 Information Commissioner
Speaking to her afterwards I asked her about how she supported the SME and ME space in regards to them doing GDPR? Ms Denham made it quite clear that all need to do what is appropriate and are at no less a risk. More guidance has since emerged. The challenge for the likes of me and others in my industry is ensuring that what we do as we support others, is done appropriately, and this therefore remains our aim as we move into year 4.
As the toddler approaches their birthday, MoJoU’s skills will continue to go way beyond GDPR. Aside our clients commercial and strategic consideration we need to encompass compliance as an aid and not an inhibitor. PCI-DSS for those taking card payments, DPA2018 (UK Law), CE, ISO27001, (Security) 9001 (Quality) 14001 (Environmental) MiFID II (Finance) CQC (Care) are just some of those.
As I look ahead, I look for new partnerships that seek to support one another. Two way relationships that build and see those thrive without suffocation. My aim, like any good parent is to see us all my clients become what they aspire, guided and supported by compliance and not inhibited by compliance akin to an over zealous parent living through their child. The baby is becoming a toddler.
If you would like more information then please do get in touch. Revd Mark James 07443 577577 www.mojou.co.uk