I was reflecting on GDPR preparations and it struck me that the best movie to explain GDPR preparations was Raiders of the Lost Ark.

The film starts with Indiana Jones (our lowly DPA officers and the upstanding DPA consultants) trying to protect an artefact (DPA compliance). He is gazumped by an unscrupulous rival Belloq (i.e. GDPR cowboys). He goes back to the home office where the government (our bosses) want to know more about this elusive thing the Ark (GDPR compliance), a potential weapon of immense power. They must rely on Indy to know how to get it and deliver to them this weapon before Hitler (a fine happens) gets a hold of it (no, the ICO are not the Nazis :)).

Indy sets off on his quest. He consults long forgotten files and enlists the aid of people some of whom help him as much as they can. Other people who do not want to remember him such as Marion (insert any teams or people who do not want to be reminded of the DPA or have the “extra” work on top of the “day job” :)), but in the end see the hero’s goodness. Meanwhile, though the unscrupulous Belloq has teamed up with other nefarious characters to present their map to the Ark. What Indy knows, (as do the dutiful DPA officer or upright DPA consultant), is that Belloq and his allies only have partial knowledge. They lack the key insights Indy has gained from having consulted with Marion, who has the medallion (The experience of having dealt with DPA for years, if not decades).

Indy knows the place to dig and soon discovers the Ark (GDPR compliance) but Belloq and allies gazump him again. (This is GDPR cowboys with seductive offers of certified advice, training, guidance and flattering GDPR advice to make compliance easier).

Indy and Marion struggle to regain the Ark, but despite succeeding for a time, find themselves gazumped a third time before the end of the film (the flurry of “consent” emails panicking people about GDPR and compliance readiness) (“Are you sure we don’t need to send these emails out? Everyone else is doing it. This certified GDPR consultant is saying we do…..”) However, Indy perseveres and tries one more time to rescue the Ark, and Marion, from Belloq. He fails and the day of judgement arrives, the Ark is to be opened (GDPR day).

Indy gives one final warning to Marion before GDPR day arrives. If you have followed his advice (GDPR compliance from a DPA officer or an upright GDPR consultant) you will be safe. If you followed Belloq’s advice, the righteous flames of the Ark (GDPR compliance) will melt you like a human candle. 🙂 (Figuratively, not literally (I hope)). Indy and Marion are saved while Belloq and company perish like human candles in the flames.

Indy rescues the Ark and brings it back to his bosses. They congratulate him, but when he asks what they intend to do with it; they say they will look at it. He tells Marion they don’t know what they are doing (DPA officer’s lament, “will anyone take GDPR compliance seriously?”). She agrees (the eternal staff lament that management should be prioritising *their* work not *that other work*.). The film ends with the Ark sitting in vast warehouse among a number of boxes (the fate of policies and rules but surely not GDPR compliance? ;)).