Although GDPR came into effect last year, many organizations still lack overview of their data.
By Lasse Ruud, CEO HAIVE AS
In 2018 GDPR made a huge impact on organizations. Unlike the long gone situation with Y2K, GDPR have no expiry date. Its here to stay, and its fair to assume that regulations will be even stricter in the future. GDPR is now an integrated part of the compliance every business face, and it is especially important to keep track of all sources when handling a subject access request. In this way, a business can guarantee that all insights are found, and that the petition is followed up appropriately. A lot of the Norwegian businesses have probably done a good job on the process around GDPR, but too many have been sloppy finding and deleting the GDPR data they are not supposed have in their systems.
Can you deliver within 24 hours?
In a survey from Norstat, 75 percent of Norwegian business leaders say their business can find all the potential GDPR data in 24 hours if the receive an access request. Although this is great news, it may also be seen as alarming that 1 in 4 believe that they are not capable, or do not know if they are capable, to handle a petition quickly. Lack of control where relevant information or data exists is the key, and procedures to handle GDPR-requests when your systems doesn’t support this already. It is a leadership responsibility to have this insight. It’s the athlete who is in charge, as we have learned from the Therese Johaug case. If your company get a complaint of breach of rules, it is the manager that is responsible.
Blind trust in the IT department
The confidence in IT, and to a certain extent the marketing department, to have overview of how to handle a transparency petition quickly and correctly is high. Through daily dialogue with Norwegian IT managers, my impression is that there is still insufficient overview of all data within enterprises. The fact that many leaders are still confident that the business can handle the requests in the way they are supposed to be handled, can therefore be due to insufficient insights. This is confirmed by managers in larger enterprises claiming that they can handle petitions in one day. In larger enterprises with better structure, managers tend to think more that someone will handle it. Smaller businesses require managers to be more “on top of things,” and they also see that they may not be fully compliant. So to all leaders out there – ask for an overview of what is done internally to handle a full view of your GDPR data. If you don’t get an clear and qualified answer – Who you gonna call?