As the 25th May draws closer, it has become increasingly more important to embrace the new data protection regulations that will affect all organisations with members and customers in the EU.
Even a quick Google search for "GDPR" conjures 10.4 million results containing a plethora of information about the new law, why it is changing and the fines you could face for non-compliance.
While the seemingly abundant resource of information around the General Data Protection Regulation appears helpful on face value, it seems that where NGOs are concerned there isn't a great deal of advice that you can put into practice.
The bulk of the content produced around GDPR seems to be a massive lexical regurgitation of very intense, legally focused jargon that doesn't offer enough functional advice that organisations can put into practice straight away.
The issue that this causes is that there is a disconnect between how informed the lawmakers think organisations are and how knowledgeable those organisations actually are as a result of overly technical information. It is understandable, though, that the level of legal detail is so high with such a massive piece of legislative change with various points open to differing interpretations.
Importantly, though; it is counterintuitive to offer organisations a complicated body of information explaining the changes to data protection laws and then subsequently fine them vast sums of money for non-compliance; likely due to lack of understanding around the new law. There could be an argument that if the lawmakers are clearer with their guidance, more organisations will remain compliant.
If we use the example of the Workplace Pension Reform in the United Kingdom; the law change that meant that all employers must enrol their workers into a workplace pension (depending on certain jobholder status and eligibility); we can see where there may potentially be areas of similarity that can be used as learning points for GDPR implementation.
Initially, the campaigns around the workplace pension reform were supposed to inform businesses about the changes to legislation, what they meant and importantly - what would happen if you didn't comply. Following the early adoption phase, many businesses were missing their "staging dates" (the specific date that the employer needed to be compliant with the new law from) and as a result were being issued Penalty Charge Notices and ordered to backdate pension contributions. Many of the reasons for missing staging dates were put down to a lack of clarity and a confusion of what actually needed to be done due to how overcomplicated the guidance was.
Consequently, the governing body that oversees pensions; The Pensions Regulator, took the move to start simplifying the guidance; changing their wording and even running television adverts to make the public aware of the changes. This provided the catalyst for a two-pronged approach on employers - one from the government and one from the employees who worked for them. This then lead to more businesses being compliant with the regulations and less fines being issued as time went on.
So what can we learn for the implementation of GDPR? In this particular case, we actually have the benefit of hindsight. While the Information Commissioner's Office website is a brilliant resource of information including detailed documentation on the conditions that need to be satisfied to remain compliant with GDPR, it is all still very much an overload of legal language.