GDPR compliance is not straightforward. It is not a tick box exercise and is not something that you can "pass" and then forget.  It fundamentally changes the landscape on how companies deal with personal data.

Personal data creeps into many aspects of the business and due to the portability of data, it tends to seep through an organisation.  It has an unusual reach that companies need to get their arms around to understand, not only in terms of where the data resides, but how it is actually used.  These need to be mapped and appropriately controlled in an on-going manner, so that any system or process changes take into account how personal data is used.

Even though to many this sounds like an IT project, it is much wider than that and a sucessful project will involve stakeholders from throughout the business as well as having senior management sponsorship.

With May 2018 getting closer and closer, it is time to get serious about GDPR compliance.  This means not only establishing what legal measures need to be adopted in contracts and through consent etc, but also establishing how, where and who uses personal data.

The potential for massive fines under GDPR, let alone the damage companies face following any sort of data breach, means that GDPR should be a top priority for companies.  However, the 19% of UK companies having C-level executive involvement in the GDPR process indicates that this is not the case.  This needs to change, otherwise companies will find themselves on the wrong side of fines, bad publicity and angry stakeholders!