GDPR deadline - how much do we need to panic?
May 25 sees start of new compliance laws
As of 25 May this year compliance with the new General Data Protection Regulation (GDPR) will be required.
The GDPR rules are designed to overhaul the safeguards on how the personal data of individuals in Europe must be stored and treated. The recent furore surrounding Facebook serves to highlight the concerns the new rules are meant to address – what are organisations doing with our data and where does it end up? How can we take back control? Most businesses and other organisations will be caught. Some are still blissfully unaware of the approaching deadline, some are confident that they have all their ducks in a row, some are panicking because they haven’t and others are confused by the deluge of (often contradictory) information on the subject and opt-in emails they are being bombarded with. Part of the problem is that the GDPR encapsulates all that is good and bad about the European Union – on the good side, it shows a concerted desire to safeguard our privacy, on the bad side, it is long and complex and in places the meaning of the rules is unclear. The confusion with which it has been met is therefore hardly surprising.
Numerous summaries of the contents of the GDPR and of the obligations it imposes are currently available, almost ad nauseam. This article therefore merely serves to highlight a few key misconceptions.
It won’t affect us.
Yes it most probably will. Personal data means any data that can be used to identify an individual and most organisations store data on individuals, whether customers, suppliers or employees. Even a small, private concern like an art club or an allotment society will be affected.
More pointless regulations – no one really cares about all this.
This is true much of the time. However, patients don’t like it when their medical data accidentally ends up in the public domain or is sold to actuaries. People who make a one-off SMS donation to a charity don’t like it when the charity uses that an excuse to keep phoning up for more. No one likes being called in the middle of the night about PPI compensation. Jobseekers take exception to their CVs being bandied about without their consent. All of these infractions have resulted in fines and naming and shaming under the current data protection regime; penalties will be more severe after May 25.
Do we really have to bankrupt ourselves complying with all of this?
Not necessarily. The steps you must take should be proportionate to the size of your organisation and its resources and the extent and nature of the personal data you control or process, so an NHS Trust or social media multinational faces a much higher burden of compliance than a salon of three hairdressers but no one is completely off the hook.
25 May isn’t a hard deadline – the regulator will cut us some slack if we’re not quite ready by then.
No it won’t. Full liability for non-compliance kicks in at that point. However, the fact remains that many organisations won’t be compliant by then and, even for those whose preparatory measures are on track, 100 per cent compliance is a tall order. However, the regulator, the Information Commissioner’s Office or ICO, is expecting all affected organisations to do their best to comply.
We won’t be ready in time – all we can do is just sit and wait to be fined.
The risk of this is low. What is most likely to be happen is that the ICO will begin by auditing and, if necessary, fining large, high-profile organisations which are the subject of data breaches or legitimate complaints from members of the public. We can expect a few landmark cases in the coming month as the new regulations are tested. However, this is no reason for organisations below the ICO’s immediate radar not to attain compliance as soon as reasonably possible and no one wants to be the subject of the first test case anyway.
We can just dump this job on some poor mug in accounts.
No you can’t. Whether or not you need to appoint a Data Protection Officer (and you may need to seek specialist advice on that point), getting up to speed with the GDPR requires active buy-in from management and input from every branch of your organisation, including HR, IT, legal, regulatory and finance. On the plus side, there are plenty of outside professional experts you can seek advice from and the ICO has a very useful helpline and FAQ page on its website. The ICO wants organisations to get this right. However, if you are still unsure of what to do or fear that you will not be ready in time, you should seek help now.
For more information email Simon Portman at Marks & Clerk Solicitors LLP at firstname.lastname@example.org.