Too few businesses have the 25th May 2018 set as a key milestone date in their organisation’s calendar. This is the date when the European Union’s new General Data Protection Regulation (GDPR) comes into effect. GDPR will be a new EU data compliance law, designed to ensure that companies which are either operating within EU member countries and/or doing business with EU citizens, will have to abide by a single, uniform legal process.

 GDPR – the operational risks

The implementation of GDPR will create additional operational risks for businesses, as it will mean that data sharing will need to be more secure and customer privacy stricter. The new risks of GDPR legislation for businesses will arise if these new regulations are not met:

Extended jurisdiction

The new law will apply to any organisation which deals with, or holds data for, EU citizens. This jurisdiction of GDPR applies regardless of the organisation’s physical location.

Consent and mandatory breach notification

Organisations will have to gain an individual’s consent prior to using and storing their data, as well as explaining how the data will be used. They will also be required to contact a supervisory authority within 72 hours if it is likely to pose a risk to “the rights and freedoms of individuals”.

The right to access and the right to be forgotten

Companies must be able to supply private records and personal data upon request from an individual. Likewise, the new EU law will mean that individuals have the right to ask that organisations and data controllers delete their data and stop sharing it with third parties.

Data portability

Essentially, this is the right for individuals to request that their data get transferred from one data controller to another. Organisations must also be able to provide an individual’s data in a machine readable and commonly used format.

Privacy by design

The GDPR essentially means that companies must offer privacy by design i.e. privacy and security must be built into an organisation’s business processed and systems from day one to remove/reduce the risks of hacking etc.

Data protection officers

Organisations which have data protection at the core of their processing operations must appoint a data protection officer, who can either be a contractor, a new member of staff, or a member of the existing team.

In summary, the operational risks due to GDPR are much greater as the regulations work in new and stricter way compared to the current Data Protection Act.

At a strategic level, the two main risks brought about by the different components of GDPR are the increased risk of non-compliance, and the severe damage to customer and business relations which could potentially be brought about by data breaches or inadequate data protection frameworks.

However, the immediate risk of not properly implementing the programme of change necessitated by GDPR is arguably much higher…

 GDPR – the programme risks

Assuming that businesses have taken the 25th May deadline seriously, preparing business processes, personnel and infrastructure to make way for GDPR will be a major programme of change and it is therefore likely that many of these organisations have under-estimated the preparatory work required to get their businesses processes and personnel ready.

Indeed, our experience with organisations we have recently analysed suggests that organisations could be under-estimating the time-frame for successfully implementing GDPR by several months and even up to as much as a year. This means it is vital that organisations primarily consider GDPR from a programme risk perspective and measure the risks to not meeting the objectives and timescales of the change programme.

The risks may be exacerbated for UK businesses and organisations as they may be distracted by planning to leave the umbrella of the European single market. It should be emphasized that UK businesses will still have to be GDPR compliant when dealing with their EU counterparts in the future.

As with any compressed programme of work, the project needs to be implemented quickly, and so the risk to timescales, cost and business objectives will inevitably be very high. If traditional risk management approaches are applied it is highly unlikely that any significant benefits will be realised. Instead, we have recently applied advanced risk management techniques such as Strategic Timescale Analysis (STA) and Strategic Assumption Analysis (SAA) to great effect on GDPR programmes:

Strategic Target Analysis

GDPR programmes are a classic examples of “must do by <date>”. The problem with programmes of this type is that people plan backwards from that date and management pressure encourages “squeezing” of the activities until they fit the required timescales – irrespective of whether that is really practical. The net result is that the plans appear to be on time until nearer the milestone and then significant delays are suddenly announced.

STA starts by building a strategic plan that only shows the potential critical paths. Estimates are broken down to 4 levels of confidence (ABCD) by the best person in the team to provide the insight and are unconstrained by the current plans. The assumptions that are driving the estimates are captured and rated and rigorously tied to the estimates. This provides absolute transparency and the ability to perform “what if” type of analyses. STA results are proven to be accurate and the initial analysis only takes a few days to do.

STA results will probably show that the plan has a very small probability of success. However, by managing the driving assumptions identified, a “road-map” is laid out to get you from where you are predicted to be (ie low% of success) to where you want to be (ie high %). By following through on these assumptions, the objectives and timescales are assured.

Strategic Assumption Analysis

SAA is a qualitative exercise to capture the “other” assumptions (ie not timescale specific) on the programme. These assumptions tend to relate to aspects such as understanding of the project at hand, quality maintenance, relationships, politics, and regulatory/audit issues. Whilst these may be seen as the “softer” impacts they can, nevertheless, be very great if not managed. Also included here are any significant cost related assumptions/risks. A separate analysis on cost risk (using Strategic Cost Analysis) may be performed but normally in programmes of this type the focus is on managing the timescale risk.

GDPR will arguably be the most pressing risk management challenge for any business which is working within the European market and its citizens. Any organisation that has not yet thoroughly planned their GDPR programme of change – and de-risked it – will need to act quickly and decisively, or be exposed to being non-compliant by 25 May 18 and be vulnerable to the enhanced operational risks.