Take a deep breath, right now, filling your lungs all the way; don't be shy. Count one, two, three, and then open your mouth and breathe everything out. Try that again, and then once more. This is what you could feel like when you think about GDPR readiness.
People talk about the 25th May 2018 like it's set to be the end of the world. If you ask around, you're likely to hear that the largest retooling of our data protection legislation, the flicking of the switch of the GDPR, being discussed with equal amounts fear, anxiety and confusion. Organisations everywhere and the people who work for them are largely frightened: frightened that they're not doing enough, frightened that they're perhaps taking some action but are uncertain their approach is absolutely correct, or frightened as they're simply not sure where to start. But it shouldn't have to be that way.
GDPR can be an incredibly empowering thing. It's an opportunity to put everything on the table - to think about all of your data flows and processes, including the necessity and reasoning behind doing what you do, and above all else it's an opportunity to put your customers and supporters at the very heart of your data processing operations. All of this, and more, is possible with just a little bit of mental reframing when it comes to thinking of and talking about GDPR.
A positive first step when making peace with GDPR involves recognising it as something entirely wholesome. When it comes down to it, GDPR is really all about nifty things such as being up front about why you need to collect data from people, being clear about how you'll use it, and then only using it for those purposes. It's about being reasonable, only collecting information you need and for as long as you need it. It's about holding data securely and making sure it's kept safe. It's about empowering people and telling them about their rights when it comes to having control over their data. Most importantly, it's also about writing down what you're doing and why you're doing it, in case you're ever asked. Putting yourselves purely in the shoes of your customers, your supporters or your members for a moment, this is all pretty cool and common-sense stuff.
One commonly cited annoyance which gets in the way when it comes to discussing GDPR compliance is that we don't have enough information from the powers that be, or in our case, the ICO. The ICO guidance is coming in slowly - they've consulted on a few items and produced a few drafts which haven't yet been finalised. While perhaps a little annoying, this shouldn't stop you from taking a long, hard look at your current operations and from making sure that you're conducting yourself in a fair and transparent way. Sure, it would be nice to have more guidance, but don't let this stand in the way of your journey to GDPR readiness. The GDPR text is available online for all to see, in all its glory (and I wholeheartedly recommend you take a look if you haven't already), but a lack of localised guidance shouldn't stop you from taking to heart the GDPR's core values of honesty, fairness, transparency and accountability.
You have it within you to make GDPR compliance your friend, and a great place to start is to have a think about the data you collect, and the reasons for why you need it. Think about how you use data, where you store it (whether that's on-site or in the cloud, and even then, find out where in the world 'the cloud' is), who you're likely to send it to, how long you reckon you need to hold on to it for, and why. Then write it all down. Accountability is a major facet of GDPR compliance, and you need to prove that you've had a think about the issues, and that you're able to justify your approach, or 'show your work'.
One other thing that can get in the way is anxiety over correctness, but don't worry so much about whether you've necessarily got the 'right' answer, as that can be a one-way ticket to inaction. One of the big secrets to GDPR happiness is that in most cases there is no universal right answer. This is particularly relevant when it comes to things like data retention, or thinking about how long you need to hold on to information for. All organisations are different, so it makes sense that we all have different needs and requirements when it comes to handling data. The main thing is that you have thought about the approach and needs and the reasoning relevant to your organisation, and have written this all down.
Next up, be sure that you're being fair and transparent, and this is where it's easy to fall down. If you're going to ask for someone's permission to do something with their data, then you've got to be honest about it and it's got to be a positive action on their part. A pre-ticked opt in box is not consent. An opt in statement littered with confusing logical quandaries and double negatives is not consent. If someone can make the claim that they're not clear about what they're signing up to, then that's probably not consent either. You need to make sure you're being clear and up-front with your reasoning for collecting and using data, and if you're not then that's asking for trouble.
Even with all of this in hand, it's very easy to get caught up in the fear and worry, particularly when considering the sizeable maximum fines which can be levied for non-compliance, and all of the media scaremongering around this. The thought I'd like to leave you with is that GDPR compliance is a state of mind more than anything else. The EU Parliament, the European Council and the ICO are not trying to catch you out (you can actually invite the ICO round for tea if you'd like them to check out your approach to data protection in the flesh) and fundamentally, if you've built the core values of fairness, transparency, honesty and accountability into your approach (and if you've written all of it down) then really, the ball's in your court.
Take a deep breath, filling your lungs all the way, and then breathe everything out. Don't worry; this GDPR thing, you've got this.
If you would like to learn more about the GDPR, and start preparing, the IDM offers a full GDPR portfolio, ranging from foundation level courses to an expert level qualification.