Water, water everywhere but not a drop to drink. Feels a little
like GDPR – trying to work out exactly what you need to do in any scenario is
desperately difficult! Whether you are an SME, large business, charity, or public
body there are so many documents to read and so much conflicting information
about it that GDPR preparation becomes almost impossible.
We went for old-fashioned post-its and coloured pens to identify tasks,
documents, and other issues from a wide range of sources. This worked
surprisingly well but gave us a list of 40+ documents plus a number of pretty
significant tasks. We are an IT company with IT literate staff that are used to
working with data and complex processes but this is still a challenge.
How are small/busy/resource strapped companies going to do this? I guess the
answer is that most of them won't do it. There seems to be an imbalance
between meeting very laudable objectives and making things so difficult that
companies just ignore it and don’t even try. On a risk/cost analysis the zero risk
option would cost a Gazillion pounds – a 50% risk option would still represent a
significant investment and the chance of enforcement action too high – so why
bother going for a 50% solution at all?
What to do? How will SMEs approach this?
My sad prediction is that most SMEs won’t do anything. Nothing. They will
ignore this and hope they get away with it. If you have no chance of achieving
GDPR compliance and always risk enforcement action then why try at all? If you
risk enforcement action for a simple user miss-op then why try to fix
everything else.
Discussions with many SMEs suggest that the level of understanding is
desperately low and that planning/action is just as low.
I hope I am wrong. Does anyone have more experience?
Good luck all.