Ed Boal, Head of Digital Media & Technology at Gregg Latchams shares his views on the upcoming GDPR regulations.
Despite the fact that data protection law is nothing new, the GDPR has everyone’s head in a spin. And with only a few months to go before the GDPR becomes effective (how did that happen!?), panic is beginning to set in. So my first message is: keep calm!
There are a number of reasons why businesses have struggled to get their preparations under way, most commonly because of a belief that they have to achieve ‘perfect compliance’.
The media has not helped; over-hyping fears of massive fines and ensuing bankruptcies. This makes it hard for businesses to scope out how much work is needed to achieve a basic standard of GDPR compliance and as a result, they have become paralysed by it. ‘Perfect compliance’ is a myth.
Yes, the GDPR is a complex piece of law and even we lawyers find ourselves in uncharted waters. But when you take a step back, the GDPR is about holding your organisation to the highest data governance and information management standards that you can achieve.
The GDPR promotes a risk-based approach. This does not mean throwing caution to the wind, but considering what steps are appropriate for your business, taking into account the nature, scope and context of how you process personal data and the associated risks to individuals. Practical compliance is the order of the day.
As for enforcement, every business would do well to read the mythbusting blogs published by the Information Commissioner’s Office (ICO). The ICO has made it clear that they will be looking for evidence of a ‘compliance building programme’ and that they will not be making early examples of businesses for minor breaches.
That said the ICO is quick to remind us all that we have had two years to prepare for the GDPR. So my second message is: if you have not begun your preparations, don’t carry on burying your head in the sand – the 25th May is only just the beginning.