The Bandwidth 'issue'

The Bandwidth 'issue'

What exactly is the problem? Why are so many organisations getting caught out by processes that are simple to fix; senior executives able to ignore the potential harms to their business; and knowledge about what compliance actually looks like so poor?

Much has happened in the 60+ weeks since 25th May 2018 and the arrival of the GDPR.

As expected (hoped) there have been some big fines from the various statutory authorities across Europe. The headline numbers are impressive, but the news cycle is fast and they are quickly forgotten. By the time you read this the Oystercard breach will already have reached the ‘oh another one’ stage; the nuances of the judgements being made by the regulators will still be lost on most organisations; and senior executives will have shrugged it all off as ‘things that happen to other people’.

No alt text provided for this imageTo try and keep things front of mind, the ICO publishes a handy online list of miscreants detailing what they have done wrong and the penalties imposed, including naming and shaming organisations that have failed to pay the data protection fee. The latter serve mainly as a marketing opportunity for companies offering DPO services rather than prompts to others to sort themselves out; showing just how easy it is for management to dismiss those on the list as unlucky to be caught. The assumption is that it is just small players who have been caught out by one piece too many of red tape; but big names feature too – Farrow & Ball, Reckitt Benckiser, Coty, Condé Nast - plus a whole host of recruitment, legal and financial services companies who really should know better.

But some headlines suggest in a roundabout way that we are getting there: a recent survey announced that ‘30% of companies in Europe are still not compliant with the GDPR’. It’s not really good news though, since the response from many in the data protection community was that they would be surprised if, of the companies surveyed, 30% were actually anywhere near compliant with the legislation.

What exactly is the problem? Why are so many organisations getting caught out by processes that are simple to fix; senior executives able to ignore the potential harms to their business; and knowledge about what compliance actually looks like so poor?

It’s all down to the Bandwidth Issue.

No alt text provided for this image

Busy people, busy lives, busy jobs, noise, noise, noise.

If your inbox pings every 15 seconds with a new email, your organisation uses Skype or internal messaging systems that give free rein to the colleague with verbal diarrhoea, you spend half of your day in meetings and the rest trying to meet ever present deadlines, where are you supposed to find the time to read, digest and understand a piece of large and complex legislation that has far reaching effects into every corner of your business (and/or find the will to do so..)?

The simple answer is that you can’t. You just don’t have the bandwidth.

Which leaves you with two options:

  1. Find someone who does; or
  2. Convince yourself that a skim read (either by yourself or an unwilling volunteer – possibly in the marketing department) will give you the salient points, you can work out what fits, tick the box and move on.

The problem with Option 1 (for a lot of organisations) is that it costs money. Which you haven’t budgeted for. Money spent that doesn’t generate direct profit so it skews your KPIs, your cost/benefit analysis, your annual bonus…?

No alt text provided for this imageSo, Option 2 it is then. Quick sprint through a few blogs online from commentators who look like they probably know your business model; scan read of a few of the information pages on the ICO website; create a document that covers off all of the bases (you think) and a bit of employee training which essentially consists of telling them to change their passwords and not use USB sticks*; and hey presto! Houdini-like you shimmy across the compliance high-wire.

Until that is, something happens that means your methods are held up for scrutiny. Maybe there is an M&A process underway which requires extensive due diligence, an important client has asked for an audit or the ICO have decided to make an investigatory visit. Perhaps a key supplier ceases trading and you need to work quickly to make sure any data they hold can be secured or remains accessible. These scenarios leave you once again with two options (of your own making): 1) go scrabbling around for lots of different pieces of information which is going to suck up management effort and time with the efficiency of a hoover or, 2) open up your records of processing to find what you need quickly and efficiently.

No alt text provided for this imageThe issue with option 1 above is that it is also going to use up bandwidth. What you saved on the swings at the beginning, you are now going to pay for on the roundabout. Only this time it is going to be far more stressful, because there will be a deadline and, possibly, an external scrutineer involved. Having seen some ICO audit reports, what is abundantly clear is that having customer facing compliance ‘ticked’ won’t save you from some scathing analysis if you haven’t also done the groundwork.

So, if you don’t have the time, energy or frankly, the inclination (because data protection legislation geekery isn’t for everyone) buy yourself some bandwidth (expertise) now to save a whole load in the future.

*To be fair – telling your employees this is no bad thing – because we all know that a significant number of data breaches are caused by inappropriate management of data transfer. It’s just that a set of rules doesn’t really equal compliance