GDPR is coming and the simple fact is that most of us are ignoring it.
Some hoped that BREXIT would save us or that it would just go away. Well I am sorry, but it won’t, and the deadline is the 25th of May 2018.
It’s time to take GDPR seriously.
This is the first of a number of posts setting out what I have learned and what we are going to do with our clients.
It will be targeted at small and medium sized businesses and organisations. The people who must deal with the real world, not the one regulators think we live in.
Don’t panic
First things first. The sky will not fall in on the 25th of May 2018.
Even the enforcement authorities aren’t ready yet.
Computer salesmen of a certain generation used a technique called FUD (fear, uncertainty and doubt). Life insurance salesmen were encouraged “to bang on the coffin”. There is a lot of it going on now.
What you need is a plan. GDPR is not something you can achieve, it is something that you do continuously.
If your current Data Protection processes are in good shape, you are well on the way to GDPR.
What is GDPR?
GDPR is not the Data Protection Act The DPA is working its way through Parliament now.
GDPR is an EU wide regulation that all members must adhere to.
Individual countries will introduce specific laws for their own jurisdictions that might affect how GDPR applies in their country.
The UK act will also deal with the powers and responsibilities of the Information Commissioner’s Office.
You will have to apply the new DPA when it is enacted, but you should start your GDPR preparations now.
They stand together.
GDPR builds on the current law. Put simply, we are now expected to treat Data Protection seriously.
Why GDPR and a new DPA?
GDPR is supposed to give citizens greater control over their personal data.
With the rapid advance in technology, organisations and companies are collecting and retaining huge amounts of personal data. Quite often it is not clear what data they are collecting and what they are doing with it. There is a concern that we have an imbalance of power in the relationship between the individual and those gathering our data. Could that power be used to deny us services if we do not provide the data requested?
The GDPR makes it clear that organisations must justify why they need our data and what they will use it for. With some exceptions, they will have no right to keep data any longer than is necessary or when we withdraw permission.
Until GDPR, there was no EU wide standard regulation for Data Protection, simply a directive.
In layman’s terms a directive tells EU states what they have to achieve, not how. The GDPR states how.
The current Data Protection Act was introduced just as the internet came to our attention. Facebook hadn’t been created and “to Google” wasn’t in the dictionary.
Whilst the current Act anticipated high-volume processing of personal data, it simply did not envisage the situation we have today. It has not kept pace with technological developments and new commercial processes brought about by the internet.
Its time to bring the law up to date.
So how do you move on from here?
With its recitals, the GDPR is 160 pages long. I don’t think anyone seriously expects you to read it all.
Even now, the EU working parties and Information Commissioner’s Office are still working on materials to help organisation understand and apply the regulations. Think of them as a Highway Code to the GDPR.
Go to the ICO website which they are updating on a regular basis and please check our website for some practical topics.
According to the ICO, by the 25th of May 2018, your objective should be to have plans and processes in place to meet the regulations and to show how you will ensure compliance. They want to see that you are making progress.
A word of warning. I assume the ICO will expect you to be meeting some or all of your obligations under the current law already.
Conclusion
This must be the only article not to mention penalties. I will leave that to the FUD salesmen. The priority now is to knuckle down and get the job done.