“Get GDPR compliant now! warns expert”. I don’t know about anybody else but, quite frankly, I’m getting a bit bored by repeatedly seeing such headlines. This is particularly so where the headline is intended to encourage an organisation to engage a so-called expert to sort out its GDPR compliance.
For those who don’t know and haven’t be bombarded by such headlines, GDPR stands for the General Data Protection Regulation and is the basis for new data protection laws coming into force on 25 May 2018 both in the UK and throughout the rest of the EU. As we alluded to in our recent article, we do not know how any so-called expert could have purported to get an organisation GDPR compliant without knowing how the UK was intending to implement GDPR. Now that the Data Protection Bill has been published, we have a much clearer (though still not complete) view as to what UK data protection law will look like on 25 May 2018.
It seems that I’m not the only one fed-up with such headlines. In a recent forthright blog from the ICO, the Information Commissioner’s Office (the UK’s independent authority responsible for data protection enforcement), the ICO’s Deputy Commissioner accused various so-called experts of “misinformation and outright scaremongering” about GDPR. Instead the ICO’s Deputy Commissioner insisted that “GDPR is an evolution in data protection, not a burdensome revolution.”
So where’s the truth? It is fair to say that if your organisation is complying with the current law under the Data Protection Act 1998, it is well on the way to GDPR compliance. However, your organisation is still going to have to take many steps to comply including: reviewing the consents it gets for processing personal data, being able to demonstrate how it complies with GDPR, complying with new rules on processing child data and (if it employs more than 250 employees) documenting its processing activities. That’s an awful lot of new compliance.
I think, however, that the ICO’s blog misses a point which is that, in our experience, most organisations are a considerable way off from complying with the Data Protection Act 1998 so they are even further away from GDPR compliance. This is where GDPR compliance then becomes scary for these organisations. The top fine for breach of data protection law will move from £500,000 (under the Data Protection Act 1998) to the greater of €20 million and 4% of global turnover under GDPR. Suddenly, whilst an organisation might have survived previously a data breach, it now may face extinction.
I agree with the ICO that there has been plenty of misinformation and scaremongering from so-called experts. At the same time, it is pretty obvious that for most organisations compliance will not be straightforward. The ICO’s blog (which is no more than a personal opinion) might be said to be encouraging a laissez-faire approach to compliance with the GDPR which is contrary to the ICO’s official approach. For example, the ICO itself has for several months been advising organisations about the steps organisations should be taking now to comply so admits that compliance is far from simple and straightforward.
And as for the so-called scaremongering expert, our advice is to steer clear of anyone offering GDPR compliance who is not already experienced in data protection law and is not a qualified solicitor backed by professional indemnity insurance. At Jordans Corporate Law, we have spent considerable time familiarising ourselves with the wording of the GDPR (we can even point out where the ICO’s guidance conflicts with the GDPR wording). We have also developed a robust checklist that we can use to check how close an organisation is to GDPR compliance.