The General Data Protection Regulation (GDPR) which comes into effect from 25 May 2018, is prompting a flurry of enquiries from clients.
Unusually however, those enquiries are coming from one of two polarised positions. On the one hand, I have had clients saying things like “I have updated our Privacy Notice and will review the Data Protection Policy – that’s all I need to do isn’t it?”. While those in the other camp are in a blind state of panic frantically deleting everything they can, introducing policies left, right and centre, fearing fines of up to 20 million Euros and worrying that their business will grind to a halt because of the crippling and restrictive impact of GDPR.
Perhaps unsurprisingly, the reality is somewhere in the middle. Are you going to have to do more than update your Privacy Notices and Polices – yes? Are you going to go out of business either because you will drown in the red tape unleashed from GDPR or because of the fines that you will receive – no. As a starting point, ensure that you (or someone in your organisation) understand(s) the six privacy principles which you must follow from 25 May 2018; 1 Lawfulness, fairness and transparency; 2 Purpose limitations; 3 Data minimisation; 4 Accuracy; 5 Storage limitations; and 6 Integrity and Confidentiality. While it is technically correct that a failure to abide by these principles when dealing with “personal data” could result in a fine of up to 20 million Euros, the reality is that the Information Commissioner’s Office (ICO) are not going to be coming down like a tonne of bricks on organisations that have tried to get their ship in order, but steered slightly off course.
In terms of what you actually need to do, following the 12 steps set out in the ICO Guidance “Preparing for GDPR; The 12 steps” is going to go a long way. I have attended conferences and heard from Senior Policy Officers from the ICO, their position is clear; “we are a proportionate regulator”. The ICO are not going to be levying huge fines on organisations that have followed the 12 steps. Unsolicited marketing where the recipient has not given a positive “opt in” or loss of sensitive data is of course another matter.
My advice is to see GDPR for what it is – as an opportunity for a good spring clean. If you are holding personal data, ask yourself “why am I holding this” and “do I really need it”. A response of “just in case” is not going to cut it from 25 May 2018. Rest assured, GDPR is coming, and it is going to lead to a change of culture, but the good news is, you still have 5 months to implement the necessary changes.
If you require advice or support in relation to getting your business ready for GDPR, please contact James Twine on 01752 292351.