The General Data Protection Regulation (GDPR) comes into effect in a little over a year, and will change the landscape for companies and organisations who gather and store personal data – any personal data – on any EU citizen.
Many organisations are significantly behind in their preparations for this enormously complex piece of legislation, and in some cases are unsure where they should start.
The answer is less complex than the problem however – the best place to start is to educate the people that make up your organisation.
Any organisation is only as good as the least dedicated employee and because the scope of the GDPR covers all aspects of how organisations work, companies need to start educating staff to think about consumer data in very different ways.
While having secure IT infrastructure should be a significant part of any organisation's plan to comply with the GDPR, it is only one step towards compliance and should absolutely not be your only one – ultimately IT is only a tool to be used by the people within your organisation.
Ignorance is not a defence
If the people within your organisation either do not understand the scope of the GDPR, or do not appreciate the gravity of the consequences if they do not comply with all aspects of it, then all of the IT systems in the world will not save you. Ignorance of the law is no defence.
The only way to deal comprehensively with implementation of the GDPR is education at all levels of your organisation in order to change both practices and perceptions of how consumer data should be collected, stored and handled.
Given the size of potential fines (up to 4pc of worldwide turnover) and the potential for costly litigation by consumers, the consequences of even one employee not knowing what the GDPR means for your business could be devastating.