Many organisations have been working tirelessly over the last 12 to 24 months to shape up their General Data Protection Regulation (GDPR) Programmes and compliance positions to reach a state of readiness deemed passable by their Supervisory Authorities, such as the Data Protection Commission (DPC) in Ireland.

However, as the compliance deadline of 25 May 2018 has come and gone, companies find themselves winding down their programmes and reallocating resources to the next alarming regulation coming into effect or to switch focus to recoup funding by focussing on endeavours with a direct return on investment. However, the reality is that the reality of GDPR is far from over and for many, the journey has just begun.

Why will GDPR continue to be important after May 2018?
GDPR has a long history and replaces previous privacy regulations, namely 1995 European Union Privacy Directive. The focus and impact of privacy concerns have evolved over time, and in turn the need for regulating the treatment of personal information have equally evolved. As GDPR is not the first privacy regulation, it is unlikely to be the last. Given that GDPR has received much attention with legal actions already pursued against large corporates, it is likely to continue to evolve and receive newer enhanced versions over time. Additionally, non-EU territories are likely to adopt a GDPR equivalent to meet their own privacy protection concerns or formulate bespoke rule sets for their territories. For multi-national corporates, finding a balance between multiple overlapping and inter-weaving privacy regulations whilst attempting to achieve a cost efficient method to achieve overarching compliance will require a forward thinking approach.

What should you be doing now?
Complete a Gap Assessment and Start Again: Many organisations have dedicated a large amount of resources to building a compliance ready GDPR programme. It is important to note that GDPR compliance requires continual compliance and ongoing effort. Understand the short comings of your current programme by doing a gap assessment against your desired target state and re-start parts of your programme to fill in key gaps and focus on priorities.

Look Past the DPO: Many focus on the requirement on whether to have a DPO in place. But it is much more important to have the supporting privacy structure, roles and responsibilities in place across the organisation to empower the DPO to affect changes and ensure organisational compliance.

Stand Out: It is advised to treat Privacy as an opportunity. Our customers looks to us to fulfil promises made and instil trust. Recent privacy breaches and press attention of large multi-national corporates have shaken this trust across industries. GDPR ties key privacy principles together and can be used of an excellent starting point for building that trust between customer of service provider.

Privacy Culture: To effectively affect change and see the most out of the resources allocated to your GDPR Programmes, it is important to embed the principles of GDPR into the culture of the organisation. This will ensure that as time moves on and as GDPR evolves and other privacy regulations come into effect, the effort required to incorporate these additional requirements will become minimal.

Wait and See: It is important to stay close to developments of GDPR legal actions and decisions made within the finance industry, within Ireland and Europe in general. By understanding the trends, outcomes and precedents set by others, your organisation has the opportunity to close any potential compliance gaps before receiving a similar outcome.

PwC Ireland have assisted many organisations over the last 24 months in their GDPR compliance, across a multitude of industries and sizes and varying starting positions, and it clear in each case that reaching the milestone of creating a readiness position by 25 May 2018 is but the first step on a long road to an effective and compliant privacy programme.