The serious countdown to 25th May will soon start and more and more organisations are realising that GDPR compliance is the tip of the iceberg.

What do I mean by that? Well, the Regulations itself is lengthy but fairly straightforward. Yes, it expands existing data protection responsibilities including making data processors liable in their own right. Yes, it grants greater rights to data subjects to ensure that they know what their personal data is being used for, by whom and where. And yes, it has potentially significant fines but the ICO has stated and continues to state that any penalties they will impose will be proportionate. All of these require changes to contracts, policies and procedures or if not already in place, the creation of some.

What I really mean is that in undertaking probably the biggest personal data due diligence exercise an organisation has ever undertaken, it has probably uncovered all sorts of other gaps and failings that have nothing to do with processing personal data but  probably need fixing as part of achieving GDPR compliance.

I also mean that achieving GDPR compliance, whether this is at midnight on the 24th May this year or at some point later, is only the start of the journey. GDPR compliance is an ongoing requirement. DPIAs will need to become standard procedure and the process to undertake one embedded in standard operating practice. Breach notification using the ICO’s new telephone hotline will also become part of life for some organisations.

Here’s to data protection expertise becoming standard.

Roll on the next phase. E-privacy Regulation – where are you?