There is an almost palpable feeling of panic setting in behind closed doors in organisations across the country as new General Data Protection Regulation (GDPR) legislation looms ever closer.


Many businesses have spent the last year preparing for it by employing additional staff, and sometimes even whole teams, to manoeuvre their businesses through to compliance by the deadline later this month.

Whilst it is crucial to understand the importance of the new regulations and that preparation for them is key, the sole focus on being compliant by 25th May 2018 is a risky one.

Could well-prepared businesses sit back and rest on their laurels from the 26th May onwards, safe in the knowledge that they’ve done what they needed to by the deadline?

If so, then their approach is based on a dangerous misconception – that GDPR is a single event, and not an ongoing process.

The most helpful example of this is provided by the Information Commissioner herself, Elizabeth Denham, who called out the incorrect comparison between GDPR and the Y2K millennium bug.

In 1999 there was fear that New Year’s Eve would see computers crash, planes fall out of the sky and nuclear war accidentally start. Similar levels of scaremongering have been felt in the build up to GDPR, but according to the Information Commissioner, this too is a misplaced fear.

Why? Because unlike Y2K, GDPR is an ongoing journey, an evolutionary process for organisations to adopt principles of data protection best practice into how they do business.

The aim is for data protection to be woven into the fabric of all organisations, both in terms of the systems and processes used for collecting, storing and sharing data, but also in relation to how businesses interact with their customers.

That is not to say that organisations should relax – yes, they need to get the building blocks in place to comply by the deadline, but they also need to remember amongst all the GDPR panic, this is about developing a new way of doing business. And that brings with it a number of opportunities.

GDPR offers businesses the chance to overhaul their practices and procedures, become more accountable and build trust with their customers by doing business in a more ethical and responsible way – something which Facebook probably rather wishes it had done in the first place!

This new way of doing business needs to be embraced by the end of May, but the wider concept of data protection should be a continual, evolutionary process within your business – and one which is largely technology-led.

By now, you should already be well on your way to becoming compliant by the May deadline, but if you’re not, don’t worry – there’s a lot of guidance out there to help you find your way and the ICO’s 12 Steps to GDPR Compliance is a good place to start.