Apologies to those of you who noticed that things have been quiet on the site for the last couple of weeks.

I was in Brussels attending the European Data Protection Congress, organised by the International Association of Privacy Practitioners (IAPP).

It was a very interesting couple of days.

(Surprising, I know, given it was a conference centre filled with 1500 data protection people!)

I won’t bore you with most of what I heard – I’ll keep that for my conversations with GDPR nerds.


But there are two key messages that could be of interest to real people who just want to be compliant and get on with their lives:

1. Even the experts don’t have all the answers

There are many areas where the ‘right’ answer is not yet clear.

Why? There are still too many moving parts – e.g. Brexit, the long term outlook for EU-US Privacy Shield, the new ePrivacy regulation.

My advice: Even though the finish line is not clear (and there may not even be a finish line), you shouldn’t use this as an excuse not to get started. A lot of what it takes to comply with GDPR is very clear. Get on with it.

2. Many organisations will not be fully compliant by the deadline

Many organisations, both large and small, were very open about the fact that their compliance projects will not be finished by the time GDPR kicks in.

Why? You can’t identify your compliance gaps if you don’t know what processing you are doing. For many organisations, the GDPR project is the first time they have put people in a room to talk about all of the processing activities performed within the organisation. Only then were they able to identify compliance gaps that needed to be addressed, revealing the extent of the work involved.

My advice: While non-compliance by the May deadline is a risk, there are ways to mitigate this risk. But you need to approach your GDPR compliance project in the right way to ensure you are mitigating this risk effectively. You need to flush out as many of the issues as possible, and then follow an objective process to identify and prioritise the risks of most concern.