GDPR is not Y2K

Remember the Y2K bug?

Elizabeth Denham does.

Drawing comparisons between the time when many believed computers would fail at the turn of the millennium, and the impending GDPR – her latest article debunks the myth and much more.

Despite what some might feel, the world will not implode when we all wake up on the 26 May 2018.

Far from it.

Denham reminds organisations that the GDPR is an evolutionary process that doesn’t end in May.

She said: “25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.”

Denham has been consistent during her tenure that the accountability principle in GDPR is what organisations should be focusing on.

The principle requires organisations to be able to show evidence for their compliance with the GDPR and explain why they took a particular course of action.

For marketers, this means carrying out a legitimate interests assessment before using that legal ground and detailing why it was the appropriate legal ground, for example.

If an organisation has put in place such processes in order to demonstrate compliance with GDPR then this will be taken into account by the ICO.

As Denham writes: “We pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR, as I set out in my first myth busting blog. Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”

Following this, she laid out what organisations should do now in order to demonstrate effective accountability:

Organisational commitment – preparation and compliance must be cross-organisational, starting with a commitment at board level. There needs to be a culture of transparency and accountability as to how you use personal data, recognising that the public has a right to know what’s happening with their information.

Understand the information you have – document what personal data you hold, where it came from and who you share it with. This will involve reviewing your contracts with third party processors to ensure they’re fit for GDPR.

Implement accountability measures – including appointing a data protection officer if necessary, considering lawful bases, reviewing privacy notices, designing and testing a data breach incident procedure that works for you and thinking about what new projects in the coming year could need a Data Protection Impact Assessment.

Ensure appropriate security – you’ll need continual rigour in identifying and taking appropriate steps to address security vulnerabilities and cyber risks.

Train Staff – staff are your best defence and greatest potential weakness – regular and refresher training is a must.

GDPR is not a revolution and in many areas builds on existing data protection law or emphasises aspects of it. Organisations that are proactive and put in place rigorous processes to demonstrate compliance with GDPR will not have a problem.

However, there are frustrations out there. Parts of the GDPR are ambiguous and clear guidance has not always been forthcoming from the ICO and Article 29 Working Party.

Denham finishes her article by stating that the ICO is a pragmatic regulator and is aware of the real world of business risk and cost. Being able to show that you have the appropriate systems in place is paramount in the new GDPR world.