With so much negative press around Brexit and GDPR over the last few months it is great to see the momentum shift to exploring the opportunities these significant changes in regulatory or trading positions will offer.  Change always creates uncertainty  and with that uncertainty there is often a reluctance to address the potential outcomes in case your view of the future turns out to be wrong. But doing nothing is invariably worse and planning now  is clearly a best course.

Firstly, what is your exposure to any changes? Have you undertaken a detailed Business Impact and Risk Assessment? This should have highlighted potential risks with the regulatory impact on your data, the data you process on behalf of other organisations and the data your suppliers process for you.

Secondly, what action have you taken to establish a GDPR compliance program? In the UK the Information Commissioner's Office (ICO) has been set up to uphold information rights and will be looking for organisations to demonstrate that they have appointed a Data Protection Officer, have conducted a privacy impact assessment and documented areas of compliance together  with a plan for areas requiring further work.

Thirdly, what plans do you have in place to deal with a data breach when (not if) it occurs. These should include processes to notify the ICO, processes to communicate with data subjects  affected by the breach and plans for addressing the potential reputational impact a breach might have on your business.

But as organisations start to look under the covers they begin to realise that this new regulation is as much an evolution of existing laws as it is introducing anything new and in fact is driving harmonisation and trust in the digital economy. Embracing these changes will not only tick the compliance box, but will also strengthen your data management processes in a landscape where data and therefore data management is paramount to being competitive. 

This podcast by Keith O'Leary  is well worth 20 minutes to explore the opportunities thrown up by GDPR.