GDPR: evolution not revolution
01 Sep 2017
The latest in the ICO’s myth busting series claims that the GDPR should be seen as building on the foundations of current data protection law - and not as a revolution in the way organisations handle and store personal data.
This is true to a degree but of course offers little consolation for organisations grappling with the various and complex compliance challenges.
The GDPR is not a revolution in data protection but it is a watershed moment for organisations to overhaul the way they treat personal data and the quest to make responsible data handling a core brand value.
Steve Wood’s thoughts focus on the accountability principle, which has been a running theme in most of Elizabeth Denham’s articles to date and in her conversations with the DMA.
The ICO clearly see this as the most important change.
As Steve Wood explains: “What must be recognised is that GDPR is an evolution in data protection, not a total revolution. It demands more of organisations in terms of accountability for their use of personal data and enhances the existing rights of individuals.
“GDPR is building on foundations already in place for the last 20 years.”
Remember, accountability means organisations must take on greater responsibility in terms of record keeping and be able to justify their processing activity.
Companies should know what legal bases they’re relying on in order to process personal data and ensure that their customers are informed of how their personal data is processed.
This principle applies whether you are a B2C or a B2B marketer. The GDPR applies if you’re dealing with personal data and most B2B data is personal.
If you are an organisation abiding by the current law and DMA best practice then you are well placed to deal with the GDPR. There will be other companies struggling to comply with the current law and they will be the ones that flounder come May 2018.
Steve Wood said: “Many of the fundamentals remain the same and have been known about for a long time. Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process – these are all things you should already be doing with data and GDPR seeks only to build on those principles.”
This is true, the GDPR is a principles-based piece of legislation similar to the Data Protection Act 1998 but it does pose a number of challenges to businesses. Its principles-based nature means that organisations are left to justify their behaviour and there often isn’t a black and white answer.
Coupled with the lack of guidance - or any case law - at this stage, creates business uncertainty.
However, in essence the ICO are correct and GDPR is more evolution than revolution. It is those organisations that are behind the times now that will really struggle to cope with the change.
The DMA recently published it’s ‘how to audit your data’ infographic and this will be followed by a guide to working out your legal basis for processing personal data, including examples of GDPR compliant consent statements.