GDPR is not Y2K

Listen to our March 2018 podcast answering your questions on GDPR myths.

By Information Commissioner Elizabeth Denham.

I’ve been pleased to hear from many of you that the eight GDPR myth busting blogs we’ve run this year have been helpful in your preparations for the new legislation.

There are still some myths out there though and, as we approach Christmas and New Year, there’s one in particular I wanted to bust:

Myth #9: GDPR compliance is focused on a fixed point in time – it’s like the Y2K Millennium Bug

I’m still picking up a lot of concern from organisations about preparing for the GDPR by May.

Much of that is understandable – there’s work required to get ready for the new legislation, and change often creates uncertainty.

However some of the fear is rooted in scaremongering because of misconceptions or in a bid to sell ‘off the shelf’ GDPR solutions.

I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug. In 1999 there was fear that New Year’s Eve would see computers crash, planes to fall out of the sky and nuclear war accidentally start.

In the run up to 25 May 2018 there have been anxieties too, albeit on a less apocalyptic level. Things like we’ll be making early examples of organisations for minor breaches or reaching for large fines straight-away and that the new legislation is an unnecessary burden on organisations.

I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear. Here’s why:

Fact: GDPR compliance will be an ongoing journey

Unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort.

It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.

That said, there will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.

But we pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR, as I set out in my first myth busting blog. Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.

That means being able to show you have been thinking about the essential elements outlined below and who is responsible for what within the business..

By now you should be putting key building blocks in place to ensure your organisation implements responsible data practices:

  • Organisational commitment – Preparation and compliance must be cross-organisational, starting with a commitment at board level. There needs to be a culture of transparency and accountability as to how you use personal data – recognising that the public has a right to know what’s happening with their information.
  • Understand the information you have – document what personal data you hold, where it came from and who you share it with. This will involve reviewing your contracts with third party processors to ensure they’re fit for GDPR.
  • Implement accountability measures – including appointing a data protection officer if necessary, considering lawful bases, reviewing privacy notices, designing and testing a data breach incident procedure that works for you and thinking about what new projects in the coming year could need a Data Protection Impact Assessment.
  • Ensure appropriate security – you’ll need continual rigour in identifying and taking appropriate steps to address security vulnerabilities and cyber risks
  • Train Staff – Staff are your best defence and greatest potential weakness – regular and refresher training is a must

Unlike Y2K, the GDPR is not a complete unknown

There were a lot of predictions in the run up to the millennium about what would happen to computer systems when the clock struck midnight. Would banks collapse, power grids fail and chaos ensue?

But with the GDPR – we all know what’s coming. It’s a known known. Much of the GDPR builds on the existing Data Protection Act 1998. There’s also guidance and a lot of help out there, including our Guide to the GDPR, as well as other help from us, from Article 29, from industry associations and data protection experts. We know there are particular challenges for small organisations. That is why we are targeting specific advice, FAQs, a helpline and toolkits. And there’ll be more help to come throughout 2018 and beyond.

So, in summary, the GDPR is not the Millennium Bug – there’s no wondering if the new legislation will happen, it will. But with that certainty comes an opportunity for good data protection practice to pervade your organisation. This will benefit not just your customers but your organisation as well as it reaps the reputational rewards, allowing it to thrive in the new privacy landscape.

Yes budgets can be tight, technology is moving fast and there’s a race to keep up with competitors. But if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world.

elizabeth-denham-blogElizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.
This entry was posted in Elizabeth Denham and tagged , , , . Bookmark the permalink.

23 Responses to GDPR is not Y2K

  1. Anonymous says:

    I appreciate the need for the GDPR in today’s world and I value that the basis of the legislation is privacy as a human right.

    However, I cannot accept that implementing compliant processes in a way that addresses four interlocking pieces of legislation (the GDPR, the Data Protection Act, PECR and the ePrivacy Regulation) is anything less than onerous – especially for large organisations with many data sources, CRMs, contact forms and so on. It is taking hours and hours of research and understanding to even know what the nuances of the legislation are, let alone design and implement processes.

    For many digital marketers the day job is starting to feel like something out of the bureaucratic dystopia in the Terry Gilliam film Brazil, even if the principles behind the legislation are noble.

    The trouble is that the legislation does not make clear what ‘compliance’ actually is. This may be deliberate in order to force businesses to err on the side of caution. However, it also means that prosecutions will probably be lengthy, expensive affairs and that too literal an application of the new regulations will cause significant damage to large sectors of the economy as businesses find they are unable to be compliant. This could be either because they simply do not understand how to be or because they are using systems that make compliance difficult, or both. A large amount of thought as to how the law in this area is managed and applied is essential.

    I would suggest an amnesty period post-May 2018, with no or low penalties for prosecutions in the first two years. This will give government, legislature, business and the general public the necessary time to learn how this complex area of law can be applied in fair and practical ways.

    • Anonymous says:

      We have all had two years to prepare for the implementation of GDPR. How can we expect an amnesty period?

      In my opinion, this will give businesses the kick they have needed for the past twenty years as Data Protection compliance has been seriously lacking from what I have seen over the years.

      • Andy Hartman says:

        You are right that we have had two years to prepare for GDPR implementation, but even still the guidance is not finalised. For example, the ICO is waiting for the Article 29 Working Party’s finalised guidance on consent before they release their final version.

      • Ali says:

        I can empathise with what OP is saying. Yes we’ve had 2 years to prepare, but a lot of the caveats that are in the DPA (e.g. info sharing for prevention & detection of crime, DPA S29(3)), are not in GDPR. Therefore we’re still waiting for the Data Protection Bill to pass through parliament. It’s only just got to the House of Commons.

        We can’t plan/prepare effectively if the legislation isn’t ready yet. Even if it reaches Royal Assent in the next month, that’s still not enough time for organisations to analyse and implement any changes, hence the need for a grace period. OP was not asking for organisations to be let off scott free for any breaches, but to exercise leniency and caution to the plight organisations are facing in what is the biggest data protection change in 30 years.

    • Anonymous says:

      The Data Protection Act has been in force for 20 years and GDPR was known about 2 years ago, so digital marketers have no excuse for not adhering to the law and respecting the rights of individuals whose data they hold.

  2. Brian Hopla says:

    I recently wrote an infosec piece for a newsletter making the same point about GDPR and Y2K. Reassuring to know the Information Commissioner and I are on the same page!!

  3. Mark Gleaves says:

    Basically, this is what I have been saying for the last few months. Some companies are getting themselves into a bit of a tizzy (although, it’s fair to say they were given plenty of notice that this was coming). However, the facts are that many are not going to be 100% compliant, perfect, squeaky-clean, comprehensive, the epitome of a data curator, by 25 May 2018 – that’s just 146 days away.

    What businesses and organisations must to do now – especially if they are ‘behind’ with GDPR – is to ensure they understand what data they have, from where it is sourced, to whom they provide it, and for what purposes it is used. Confirm their state of compliance to existing legislation, and whether there are any current operational weaknesses, in-house and within third parties. Perform a gap analysis between as-is and the GDPR to-be. Prepare a strategy and a plan to achieve full GDPR compliance. Prioritise development. Address the riskier areas of non-compliance first. Be able to demonstrate commitment to reasonable and realistic timescales for addressing other weaknesses and shortcomings in respect of the new legislation and, similarly, commitment to continuous monitoring, review and improvement.

    If a company/organisation has a breach post-25 May 2018, then that’s unfortunate. If a company/organisation suffers a breach post-25 May 2018 and has no GDPR strategy and a plan, then that’s bad. Really bad.

    • Anonymous says:

      The only people materially benefiting from this technocratic waltz are consultants and project managers. Even their (paid for) advice is only ‘best guess’. Any official guidance will be issued after the event – too late to be of any use. There have been ‘two years to comply’, sure – comply with what?

  4. Pingback: GDPR is not Y2K « Data Protection News

  5. Oliver Price says:

    In my role as lawyer I have been presenting a number of talks and seminars and have made the same point as here. I have also explained that the ICO in her regular blogs has offered more balance than has been presented in the media. In terms of managing real risks there is much that can be done at a practical level.

    Before Christmas I tabled a question to the ICO about breach reporting and how the ICO intends to handle complaints and manage the spectrum that will be presented to her. The strict requirement includes for all breaches to be reported and it opens the opportunity for the ICO to be able to exercise the more balance and reasonable approach in how those are dealt with.

    Depending on what sort of guidance arises on that point, I tend to advise that even if companies do not need a DPO, then they do need to resource handling the new rules and ensuring breaches are reported (which means in practice many companies not needing one, will appoint a DPO).

  6. Drew Faulkner says:

    Somewhat disingenuous to state that everyone has had 2 years to prepare, when the ICO is only now developing and publishing advice. It’s a work-in-progress, with no stated date for final publication. If the ICO couldn’t understand and explain the legislation in the last couple of years, how are companies expected to be able to have done the same?

  7. Pete Austin says:

    Re: “Unlike Y2K, the GDPR is not a complete unknown”.

    Exactly the opposite. The effects of Y2K were completely known and techies could write test cases far in advance, to make sure in advance our systems would work reliably. This is why nothing went wrong when the new year started. But GDPR is very much a matter of opinion.

    There’s not even any guidance over really simple issues. For example, when an alleged data subject phones up, claiming they visited our website last week and asking to assert their new rights to see and correct “their” data, how certain do we have to be that they are who they say they are and not an identity thief.

  8. Bob Cullen says:

    I work from home in a business that I was told officially did not require registration under the Data Protection Act. However, only yesterday (15/01/2018) when I called the ICO they confirmed there would continue to be exceptions but could not confirm whether or not I would fall under the new legislation or not as they have received no clarification themselves. At this stage that is ridiculous.

  9. Anonymous says:

    Will this effect organisations such as the NHS, 3rd sector etc? As a lay person who is also a trustee of a small charity, I feel rather lost by this. We’ve currently been updating training regarding consent on information sharing. Is this also something we need to incorporate into that training, especially as we’re also updating our computer / intranet system?

  10. A good read, thanks guys !!!

  11. Clare Chalmers says:

    I hope the ico will ensure Local Authorites and those operating the Named Person scheme comply fully with GDPR, as you say the data protection laws have not changed since 1998, GDPR offers enhanced protection. Families should not be abused the way they have been with no accountability, which the Scottish ico encouraged in 2013.
    Families have been badly served by this incorrect lowering of thresholds.

  12. Valdo says:

    Analogy with the statement “GDPR will stop dentists ringing patients to remind them about appointments” what about Honda cars made in UK and sold in EU which at every engine start display an warning icon with the notice of service reminder within 3000 kilometers, 2850 km, …. and so on. Or a mandatory OK confirmation when you want the radio on???

  13. Anonymous says:

    Load of bollocks as usual

  14. Sav says:

    A much needed post to help calm the industries running around with their hands in the air however I wonder whether this post should fullyapplies to the 100ish organisations that have BCRs in place considering the ICO blog posted 20th November states (inter alia): “Organisations that have previously had BCRs approved by the ICO will need to ensure that they (and all their data processing) are GDPR compliant by 25 May 2018, as there is a requirement that BCRs take into account modifications of the regulatory environment.”

  15. David says:

    One of the best reads on GDPR I have seen – Thank You

  16. Rob says:

    Hi Elizabeth, I run a web development company on the south coast of the UK and have a number of customers asking me specifically about Google Analytics. Wondered if you could reply with your take on this as at the moment the way in which the law is reading is that Google Analytics has to be turned off by default which will of course render most websites not having any idea of number of visitors etc..

  17. David Tooth says:

    It would be very helpful for some more detailed guidance as to how these changes impact upon healthcare providers, especially GP practices. At present it is even unclear under which category we should be listing our reason for holding data, and the vague definitions around volume of sensitive data are worrisome. NHS Trusts and over 8000 GP practices need a clear steer to avoid thousands of hours of (NHS) time being wasted on multiple and varied attempts to alter our practice to fit with the changes. Whilst such guidance has been discussed I can still find no trace of it (which might be my error!)… Thankyou

Leave a Reply