The General Data Protection Regulation now applies. Don’t panic.
Hello and welcome to the IT Governance podcast for Friday, 25 May 2018, the day the EU’s General Data Protection Regulation (the GDPR) – the first major update to European data protection law in more than 20 years – applies across Europe and around the world.
Frankly, there’s more than enough material out there for you to plough through at the moment without me adding to it by reiterating the six data processing principles and six lawful bases for processing personal data, or telling you once again about data subjects’ rights to access, rectification, erasure, data portability and the like.
All I will say is that if you’re one of the many businesses panicking that you haven’t done enough to avoid huge fines for non-compliance, remain sanguine.
For one thing, you’re not alone. According to government research published in January, only 38% of businesses had even heard of the GDPR, and only 27% of those – about 10% of businesses overall – had made changes to their operations in preparation for the GDPR’s application. A few months down the line, those numbers are likely to be only slightly higher.
Moreover, the ICO – the body that will actually be enforcing the new law – has repeatedly stated that it will not be making early examples of organisations for minor GDPR infringements, nor will it be doling out huge fines willy-nilly.
The Information Commissioner herself said last year that, “while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective. Like the DPA [the Data Protection Act 1998], the GDPR gives us a suite of sanctions to help organisations comply – warnings, reprimands, corrective orders”.
And if that’s not reassurance enough that hysteria is unwarranted, you should be aware that in 2016/17, only 0.09% of cases concluded by the ICO resulted in fines for the organisations involved. This is unlikely to significantly change.
That said, you definitely shouldn’t rest on your laurels: there is still a risk of significant reputational damage and the possibility that aggrieved data subjects might sue you if you fail to take appropriate measures to secure their personal data.
The new law isn’t all about increased obligations and penalties though; there are many great advantages to GDPR compliance too. The Regulation promotes greater transparency and increased public trust by giving individuals control over their data. By getting data protection right you will enhance your reputation and build better, trusted relationships with your customers and the wider public.
Moreover, by implementing and maintaining the technical and organisational measures required by the GDPR, you will benefit from greater information governance and cyber resilience.
GDPR compliance is a Good Thing, and we’re here to help with your compliance journey.
Whatever you need, from guide books to explain your obligations and documentation templates to help you write compliant policies, to expert consultants and trainers, visit our website.
Until next week, when we’ll return to our usual news round-up, good luck.
And don’t panic.