By Information Commissioner Elizabeth Denham.
I’ve been pleased to hear from many of you that the eight GDPR myth busting blogs we’ve run this year have been helpful in your preparations for the new legislation.
There are still some myths out there though and, as we approach Christmas and New Year, there’s one in particular I wanted to bust:
Myth #9: GDPR compliance is focused on a fixed point in time – it’s like the Y2K Millennium Bug
I’m still picking up a lot of concern from organisations about preparing for the GDPR by May.
Much of that is understandable – there’s work required to get ready for the new legislation, and change often creates uncertainty.
However some of the fear is rooted in scaremongering because of misconceptions or in a bid to sell ‘off the shelf’ GDPR solutions.
I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug. In 1999 there was fear that New Year’s Eve would see computers crash, planes to fall out of the sky and nuclear war accidentally start.
In the run up to 25 May 2018 there have been anxieties too, albeit on a less apocalyptic level. Things like we’ll be making early examples of organisations for minor breaches or reaching for large fines straight-away and that the new legislation is an unnecessary burden on organisations.
I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear. Here’s why:
Fact: GDPR compliance will be an ongoing journey
Unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort.
It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.
That said, there will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.
But we pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR, as I set out in my first myth busting blog. Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.
That means being able to show you have been thinking about the essential elements outlined below and who is responsible for what within the business..
By now you should be putting key building blocks in place to ensure your organisation implements responsible data practices:
- Organisational commitment – Preparation and compliance must be cross-organisational, starting with a commitment at board level. There needs to be a culture of transparency and accountability as to how you use personal data – recognising that the public has a right to know what’s happening with their information.
- Understand the information you have – document what personal data you hold, where it came from and who you share it with. This will involve reviewing your contracts with third party processors to ensure they’re fit for GDPR.
- Implement accountability measures – including appointing a data protection officer if necessary, considering lawful bases, reviewing privacy notices, designing and testing a data breach incident procedure that works for you and thinking about what new projects in the coming year could need a Data Protection Impact Assessment.
- Ensure appropriate security – you’ll need continual rigour in identifying and taking appropriate steps to address security vulnerabilities and cyber risks
- Train Staff – Staff are your best defence and greatest potential weakness – regular and refresher training is a must
Unlike Y2K, the GDPR is not a complete unknown
There were a lot of predictions in the run up to the millennium about what would happen to computer systems when the clock struck midnight. Would banks collapse, power grids fail and chaos ensue?
But with the GDPR – we all know what’s coming. It’s a known known. Much of the GDPR builds on the existing Data Protection Act 1998. There’s also guidance and a lot of help out there, including our Guide to the GDPR, as well as other help from us, from Article 29, from industry associations and data protection experts. We know there are particular challenges for small organisations. That is why we are targeting specific advice, FAQs, a helpline and toolkits. And there’ll be more help to come throughout 2018 and beyond.
So, in summary, the GDPR is not the Millennium Bug – there’s no wondering if the new legislation will happen, it will. But with that certainty comes an opportunity for good data protection practice to pervade your organisation. This will benefit not just your customers but your organisation as well as it reaps the reputational rewards, allowing it to thrive in the new privacy landscape.
Yes budgets can be tight, technology is moving fast and there’s a race to keep up with competitors. But if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world.
|Elizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.|