GDPR is not Y2K

By Information Commissioner Elizabeth Denham.

gdpr-myths-201712-blog
I’ve been pleased to hear from many of you that the eight GDPR myth busting blogs we’ve run this year have been helpful in your preparations for the new legislation.

There are still some myths out there though and, as we approach Christmas and New Year, there’s one in particular I wanted to bust:

Myth #9: GDPR compliance is focused on a fixed point in time – it’s like the Y2K Millennium Bug

I’m still picking up a lot of concern from organisations about preparing for the GDPR by May.

Much of that is understandable – there’s work required to get ready for the new legislation, and change often creates uncertainty.

However some of the fear is rooted in scaremongering because of misconceptions or in a bid to sell ‘off the shelf’ GDPR solutions.

I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug. In 1999 there was fear that New Year’s Eve would see computers crash, planes to fall out of the sky and nuclear war accidentally start.

In the run up to 25 May 2018 there have been anxieties too, albeit on a less apocalyptic level. Things like we’ll be making early examples of organisations for minor breaches or reaching for large fines straight-away and that the new legislation is an unnecessary burden on organisations.

I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear. Here’s why:

Fact: GDPR compliance will be an ongoing journey

Unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort.

It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.

That said, there will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.

But we pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR, as I set out in my first myth busting blog. Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.

That means being able to show you have been thinking about the essential elements outlined below and who is responsible for what within the business..

By now you should be putting key building blocks in place to ensure your organisation implements responsible data practices:

  • Organisational commitment – Preparation and compliance must be cross-organisational, starting with a commitment at board level. There needs to be a culture of transparency and accountability as to how you use personal data – recognising that the public has a right to know what’s happening with their information.
  • Understand the information you have – document what personal data you hold, where it came from and who you share it with. This will involve reviewing your contracts with third party processors to ensure they’re fit for GDPR.
  • Implement accountability measures – including appointing a data protection officer if necessary, considering lawful bases, reviewing privacy notices, designing and testing a data breach incident procedure that works for you and thinking about what new projects in the coming year could need a Data Protection Impact Assessment.
  • Ensure appropriate security – you’ll need continual rigour in identifying and taking appropriate steps to address security vulnerabilities and cyber risks
  • Train Staff – Staff are your best defence and greatest potential weakness – regular and refresher training is a must

Unlike Y2K, the GDPR is not a complete unknown

There were a lot of predictions in the run up to the millennium about what would happen to computer systems when the clock struck midnight. Would banks collapse, power grids fail and chaos ensue?

But with the GDPR – we all know what’s coming. It’s a known known. Much of the GDPR builds on the existing Data Protection Act 1998. There’s also guidance and a lot of help out there, including our Guide to the GDPR, as well as other help from us, from Article 29, from industry associations and data protection experts. We know there are particular challenges for small organisations. That is why we are targeting specific advice, FAQs, a helpline and toolkits. And there’ll be more help to come throughout 2018 and beyond.

So, in summary, the GDPR is not the Millennium Bug – there’s no wondering if the new legislation will happen, it will. But with that certainty comes an opportunity for good data protection practice to pervade your organisation. This will benefit not just your customers but your organisation as well as it reaps the reputational rewards, allowing it to thrive in the new privacy landscape.

Yes budgets can be tight, technology is moving fast and there’s a race to keep up with competitors. But if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world.

elizabeth-denham-blogElizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.
This entry was posted in Elizabeth Denham and tagged , , , . Bookmark the permalink.

6 Responses to GDPR is not Y2K

  1. Anonymous says:

    I appreciate the need for the GDPR in today’s world and I value that the basis of the legislation is privacy as a human right.

    However, I cannot accept that implementing compliant processes in a way that addresses four interlocking pieces of legislation (the GDPR, the Data Protection Act, PECR and the ePrivacy Regulation) is anything less than onerous – especially for large organisations with many data sources, CRMs, contact forms and so on. It is taking hours and hours of research and understanding to even know what the nuances of the legislation are, let alone design and implement processes.

    For many digital marketers the day job is starting to feel like something out of the bureaucratic dystopia in the Terry Gilliam film Brazil, even if the principles behind the legislation are noble.

    The trouble is that the legislation does not make clear what ‘compliance’ actually is. This may be deliberate in order to force businesses to err on the side of caution. However, it also means that prosecutions will probably be lengthy, expensive affairs and that too literal an application of the new regulations will cause significant damage to large sectors of the economy as businesses find they are unable to be compliant. This could be either because they simply do not understand how to be or because they are using systems that make compliance difficult, or both. A large amount of thought as to how the law in this area is managed and applied is essential.

    I would suggest an amnesty period post-May 2018, with no or low penalties for prosecutions in the first two years. This will give government, legislature, business and the general public the necessary time to learn how this complex area of law can be applied in fair and practical ways.

    • Anonymous says:

      We have all had two years to prepare for the implementation of GDPR. How can we expect an amnesty period?

      In my opinion, this will give businesses the kick they have needed for the past twenty years as Data Protection compliance has been seriously lacking from what I have seen over the years.

  2. Brian Hopla says:

    I recently wrote an infosec piece for a newsletter making the same point about GDPR and Y2K. Reassuring to know the Information Commissioner and I are on the same page!!

  3. Mark Gleaves says:

    Basically, this is what I have been saying for the last few months. Some companies are getting themselves into a bit of a tizzy (although, it’s fair to say they were given plenty of notice that this was coming). However, the facts are that many are not going to be 100% compliant, perfect, squeaky-clean, comprehensive, the epitome of a data curator, by 25 May 2018 – that’s just 146 days away.

    What businesses and organisations must to do now – especially if they are ‘behind’ with GDPR – is to ensure they understand what data they have, from where it is sourced, to whom they provide it, and for what purposes it is used. Confirm their state of compliance to existing legislation, and whether there are any current operational weaknesses, in-house and within third parties. Perform a gap analysis between as-is and the GDPR to-be. Prepare a strategy and a plan to achieve full GDPR compliance. Prioritise development. Address the riskier areas of non-compliance first. Be able to demonstrate commitment to reasonable and realistic timescales for addressing other weaknesses and shortcomings in respect of the new legislation and, similarly, commitment to continuous monitoring, review and improvement.

    If a company/organisation has a breach post-25 May 2018, then that’s unfortunate. If a company/organisation suffers a breach post-25 May 2018 and has no GDPR strategy and a plan, then that’s bad. Really bad.

  4. Pingback: GDPR is not Y2K « Data Protection News

  5. Oliver Price says:

    In my role as lawyer I have been presenting a number of talks and seminars and have made the same point as here. I have also explained that the ICO in her regular blogs has offered more balance than has been presented in the media. In terms of managing real risks there is much that can be done at a practical level.

    Before Christmas I tabled a question to the ICO about breach reporting and how the ICO intends to handle complaints and manage the spectrum that will be presented to her. The strict requirement includes for all breaches to be reported and it opens the opportunity for the ICO to be able to exercise the more balance and reasonable approach in how those are dealt with.

    Depending on what sort of guidance arises on that point, I tend to advise that even if companies do not need a DPO, then they do need to resource handling the new rules and ensuring breaches are reported (which means in practice many companies not needing one, will appoint a DPO).

Leave a Reply