GDPR is coming. You’ve either spent months worrying about the most extensive changes to data protection law in 20 years, had it in the back – or perhaps front – of your mind; or you’ve not noticed it at all.
If you’ve not noticed it, you’ve saved yourself months of worry, and there have to be benefits to that! You’ve not had to think about how to find the time and resources to deal with GDPR, you haven’t had to get your head around how your business is going to deal with the updated regulations. What is more, if you have a need to worry, you’ve managed to shorten your worry window by cramming it into a shorter time – some after GDPR is already in force – rather than worrying about it and putting in time over months.
So really, maybe you’re better without the worry; or maybe there’s been nothing to worry about. Maybe, maybe not…
Data Protection law – the background
The General Data Protection Regulation is an EU regulation which has been law since June 2016, and it applies from 25 May 2018. It updates the directive which, in the UK, is found in the Data Protection Act 1998. It’s unaffected by Brexit; from the outset the UK government has confirmed that GDPR will apply and will continue to apply. For the UK to seek to apply lower data protection standards than the EU would be unthinkable.
Ensuring you and your business comply
GDPR Compliance has attracted attention in a way which the Data Protection Act never did – for many organisations the DPA only seemed to merit a passing acquaintance. If GDPR still hasn’t attracted your attention, now might be a good time.
The procedural requirement of GDPR – including being able to demonstrate what personal data a business holds, by what right it holds it, how it protects it and how it will cease to hold it – have been seen either as an incremental change, or a step change. The data protection principles are little changed; but for those working in this field, it’s become increasingly clear that the changes are actually far reaching.
The data protection principles are little changed; but for those working in this field, it’s become increasingly clear that the changes are actually far reaching.
In the UK the body responsible for enforcing and advising on data protection is the Information Commissioner’s Office (ICO), and in certain ways it has been trying to relay an “it’s just common sense” message; that it’s just about treating personal data with proper respect. However, the volume of material – excellent as it is – at www.ico.org.uk is really telling us that it’s not at all easy. Though we advise on this area, we’ve also had to do a tremendous volume of work on our own business to meet our understanding of the requirements. The requirements are not always clear – in many cases you have to make your own judgements as to what is the right action to take is.
Understand your business needs
You might think that our first advice would be – you need a lawyer, or a GDPR consultant of some type – to take you on your GDPR journey. Actually it’s not.
We don’t think there is a substitute for understanding what this is about yourself, for immersing yourself in ICO materials. Sure, you might need lawyers to assist with drafting policies, and to make contracts correctly drafted to meet data protection responsibilities. But that was always the case. What we think is that each business has to take its own responsibility for understanding what personal data it has, and what it can do with it. It might be culturally natural to do this, or it might be a culture shift.
The business has to understand its position at a fundamental level, and that cannot involve a template or a quick fix.
Each type of business has different needs – if you are a data aggregator, you have very certain extensive requirements; if you are making and selling metal pipes to businesses, they’re different. If you’re a recruitment company, they’re one thing; a property business, something else. Your starting point will be understanding your data, but your journey from there will be very different. The business has to understand its position at a fundamental level, and that cannot involve a template or a quick fix.
The business people who have said to me “it’s all about consent”, or “it’s all about e-mail security” are either wholly wrong, or trying sell an e-mail security product.
Personal data now is so vulnerable and so available that every business has to take responsibility, itself – as it would protect its money, the health of its employees, its responsibility not to injure its customers; this is on the same scale and demands the same attention – now, ongoing, not as a one-off. Engage with protecting personal information.
Paul Berwin is a leading technology and digital law specialist and heads Berwins Digital, the specialist IT and Technology division of Berwins.