I’ve given several talks and been featured in videos recently about GDPR. Here are some of my observations from those.
TL;DR: If you have taken no steps to be GDPR compliant, then you could be one of the first to get into trouble under the new law. If you have taken steps, you’re better off than someone who hasn’t.
“Proper, compliant use of data is now our priority”
It reminds me of the day after a train accident several years ago. I was at my local station and the announcer said “We can’t run this train today as your safety is now our number one priority”. What do you mean “now”? You mean it wasn’t before? That might have been a foot-in-mouth moment but that’s the way some people act. They’ve heard GDPR is coming so now they’re going to use personal data properly for fear of getting a large fine. You should have been doing this already!
“What’s this data protection law?”
Some people have only just realised there’s a Data Protection Act. Other people believe GDPR will introduce data protection for the first time. Look — if you’re already aware of the existing personal data protection laws and are trying to be compliant, you’re going in the right direction. If you’ve only just discovered there’s a DPA, let alone GDPR, you have a long journey ahead. Better start it now!
“I’ll get a GDPR consultant to fix this”
Ok, that’s a start. Remember though, it’s about people, process and technology. There is no GDPR magic wand a consultant can waive from afar. They can’t just tick a few boxes to make you compliant — in return for a large fee of course. Even as a lawyer there’s only so much I can do. I can re-write your data collection wording, your data processing clauses with customers and suppliers, prepare data protection policies etc. That alone isn’t enough to make you compliant. You still need to look at how your organisation handles personal data from the moment you get it to the moment you stop using it. You need to sort your data processes. How do you collect data? Who has it and what do you use it for? How long do you keep it? How much legacy data do you hold that you don’t need? That’s not looking outside-in, that’s looking inside-out.
“I’m a GDPR consultant and I can make you compliant”
Oh good. GDPR is a big issue and it’s worth people trying to address it, yes, even to buy in external expertise. But, I repeat, there is no GDPR magic wand. If you’re looking to buy in expertise, check the consultant’s track record. While GDPR is new, data protection is not. Does your consultant have any credible history of advising in this area or are they jumping on the bandwagon?
“I don’t have to be quicker than the lion, just quicker than you”
Yes, if you’ve taken some steps to be compliant, you’re better off than the person who has taken none. The ICO may go after those who have taken no steps. That still won’t guarantee she won’t fine you or use one of her extensive new powers against you. The ICO is generally pragmatic in my experience though.
“I’m going to take a risk-based approach”
Fair enough. Running a business is all about balancing risk. If you use data in a reckless manner then that’s a risk too far. As the old saying goes, just because you can, doesn’t mean you should (or that it is lawful).
“Brexit will kill GDPR”
Ha, no! GDPR becomes enforceable on 25 May 2018. Brexit won’t happen until March 2019. Even then, it’s likely we’ll still have GDPR in one form or another. Data protection was even mentioned in the recent Queen’s speech. Not sure why though, as the General Data Protection Regulation doesn’t need a new Data Protection Act for it to be enforceable like the Directive did. The European Communities Act does that already. (All right, that’s a technical legal point I’ll save for my lawyer buddies.) Anyway, even if we don’t have data protection laws in the UK after Brexit — again, I can’t see why: quite aside from the fact we started it when we helped draft the European Convention on Human Rights in 1950, data, including the flow of personal data, is essential to the digital economy (ok, ok, I’ll move on) — you’ll still have to comply with GDPR in respect of any EU citizens’ data you use, access, process or hold.
“We’ll only comply with GDPR for EU data”
No compliance officer I’ve spoken to wants two standards of compliance to apply depending upon what the dataset is. If you can completely segregate your EU personal data from your non-EU personal data, then applying two standards is an option. Otherwise, GDPR compliance will have to act as the baseline for all your personal data.
“We don’t have budget for this so we’ll wait for the first fine before we act”
You’re sure you won’t be one of the first to be fined? Or to receive a prohibition order from the ICO preventing you from processing personal data? Good luck with that. That’s not a strategy I’m advocating. The ICO will focus on the most egregious breaches, of course, and this might not be you. What if your employees or customers blow the whistle on you? What would customer awareness of your data breach or non-compliance do to your reputation? Remember, it’s cheaper to keep existing customers than to get new ones.