As the May 25, 2018, deadline approaches for complying with the European Union’s General Data Protection Regulation (GDPR), much of the focus has been on the weight of the regulatory burden it imposes and the size of the penalties it exacts for failing to bear that weight. But that’s a somewhat narrow view; look beyond it, and you can see that GDPR compliance may not be such a heavy lift after all, and also that the reward for achieving it is far greater than many may have imagined.

For organizations that begin their approach to GDPR with a well-established privacy program already in effect, compliance may be more a matter of layering GDPR on to the private-data protections presently in place than one of building a complete program from the ground up. We’ve been engaged in just such an effort at Dell Technologies, of which RSA is one of seven constituent companies. While we’re doing this with the immediate goal of GDPR compliance, of course, we also recognize that there’s ultimately an even larger payoff.

Organizations that meet the requirements of GDPR demonstrate to regulators and auditors that they’re compliant, yes. But they also demonstrate, and to a much larger audience, that they’re to be trusted. For customers, prospects, employees, and others who do business with these organizations, compliance with GDPR says, “You can absolutely trust us to protect your personal data.” An organization that is compliant assures those with whom it does business that it has the privacy policy, controls, and procedures in place to keep personal data safe, whether from a breach perpetrated via cyberattack or from inadvertently being exposed through a third party like an employee benefits administrator or a contracted services provider. The organization provides this assurance by virtue of having met the stringent requirements of GDPR.

It’s impossible to overstate the importance of this trust. If you’re looking to do business with a company, you want an assurance that they’re trustworthy. Do they take GDPR compliance seriously? How far along are they in their GDPR compliance journey? Can you be confident in their ability to protect your personal data, not to mention the personal data of your customers, employees, and others who entrust you with their data?

This isn’t just about the trust you need to have in companies with whom you’re doing business; it’s about the trust others need to have in you. To that end, you must be prepared to demonstrate that your organization is deserving of trust, that it’s far enough along the GDPR compliance journey to merit the highest level of trust. As you work toward that, you’ll want to:

Put a priority on areas that will be low-hanging fruit for regulators: How well you demonstrate through recordkeeping that you’re driving accountability for compliance; whether your organization meets the regulation’s notice and consent obligations; and what you’re doing to support data subjects’ rights to have their data deleted, rectified or relocated in a timely manner.

Achieving compliance is the first order of business between now and May 25 for any organization that’s governed by GDPR. Earning trust is the larger, and ultimately perhaps more important, consequence of the successful effort to comply.

Sooji Seo joined Dell in 2007 as legal counsel for Dell’s Australia and New Zealand business.  During her tenure at Dell, Sooji has held various leadership roles in privacy, regulatory compliance and strategic legal advisory support.  Sooji currently serves as Dell’s Global Privacy Program Director, which provides a broad range of leadership involving direct support and execution for the design, development, coordination, implementation and ongoing management of Dell’s global privacy program across Dell's global enterprise. This position leads a global team of certified privacy compliance professionals who are responsible to build, implement and manage a best-in-class and standardized global privacy program, in a highly regulated global environment.

Prior to joining Dell, Sooji was general counsel for Hunter Douglas Limited and Chubb Australasia.  Sooji has over 20 years of legal advisory, compliance risk management and risk governance, regulatory enforcement and commercial litigation experience. Sooji received her Bachelor of Laws (Honors) from the University of Technology, Sydney and a Bachelor of Computing Science and Mathematics from the University of New South Wales.