Procrastinating on securing your consents

Doing nothing is certainly the most tragic scenario (although in some cases it turns out to be the lesser evil: sometimes it is better to do nothing than to make things worse…).

95% of sanctions are triggered by offences on personal data, not on paper governance

Companies often have a distorted view of the risk they run with GDPR in terms of sanctions and loss of brand reputation. Italian companies have been used to interpeting the law in a prescriptive way, typical of Roman law: a series of formal, mostly bureaucratic fulfilments, which represent the to-do list to protect it from possible inspections and sanctions.
On the contrary, GDPR is based on the accountability of Anglo-Saxon law, which is much more concrete, and provides for the real accountability of the Data Controller (and the managers involved) and interprets the ‘paper’ as the starting point for verifying the substance of the facts, and certainly not the arrival point.
The paradox that companies are experiencing today is that they are staking all their defences on formal aspects (governance, documentation) when 95% of the triggering causes for sanctions are related to substantive offences, due to the daily processing of personal data and consents.

GDPR does not work like insurance

Another reason for ‘doing nothing’ is the CFO who only calculates costs and benefits based on the company’s past (and fortunate) criticalities, not taking into consideration future scenarios.
But GDPR provides for retroactivity: a dispute arising today may force the company that has to defend itself to retrieve information and Proofs of Genuineness even from months or years before.

Sometimes the CFO (but not only) sees Cyber Data Protection as an insurance policy: “If nothing has happened so far, we have done well not to waste time and money on our useless protection!”. This is not the case, however: Data Protection does not work like insurance precisely because it is retroactive. The personal data and consents that a company collects today may be analysed and questioned in the future and may lead to sanctions. Failure to manage consents correctly means mortgaging your own future and the company’s future.

“Not managing consents” is not a good idea.
What can you do?

Why keep the criticality of Consent management in-house
when it is better to outsource it to PrivacyOS?