There is no shortage of GDPR advice and guidance; there seems to be a whole new industry dedicated
to training GDPR Certified Practitioners and DPOs; and a wide variety of new tools and online
products aimed at solving some GDPR issue or other. A quick survey of the documentation required
gives you a list of 30+ documents needed in order to claim GDPR compliance.
This might go someway to explain why so many companies are choosing to ignore GDPR, claim it
doesn’t apply to them, or would like to engage with this process but just don’t have the resources, or
can’t face the challenge, or cost.
Surely it is possible for the regulators to provide more assistance – more help with the documentation
required – and more practical help getting through the huge pile of regulations. My fear is that GDPR
becomes an enforcement process [opportunity] rather than an education process. There is no doubt that
GDPR is a complex and confusing set of regulations and the lack of support and practical guidance is
quite astounding. [Note: I accept that some people will disagree with this point and will argue that
there is lots of advice around.]
The point is that GDPR seems to becoming a documentation exercise and opportunity for regulators to
levy fines, not an opportunity to change how companies operate – to encourage them to respect their
data and protect the rights of their data subjects. The enforcement regime and examples of early
enforcement action will help determine which approach has been adopted.
Sadly, I think I know the answer. My bet is that the regulators have invested huge amounts in
training new enforcement officers! Maybe this money would be better spent providing GDPR Support or training officers.
Good luck all!