The General Data Protection Regulation (GDPR) is very much in all firms’ sights. The problem is that it’s not being tackled by most with the right perspective.
This is not another ‘doom and gloom’ GDPR communique, rest assured. Instead, I would like to provide some reassurance and try to dispel GDPR myths and fables.
1 – Beware All GDPR ‘Experts’!
GDPR is coming into full force on May 25 – but that’s not an end date – it’s a beginning. It’s going to evolve from there, as there is no case law yet, nor regulator judgements to get any insights off. Those will follow in time.
Beware of the self-proclaimed “expert”. So no-one can be an expert on it yet, before implementation. Everything apart from the words in the GDPR itself and regulator guidance, is just opinion. If you do want some guidance and assistance, you are better off speaking to long term general data privacy and protection veterans rather than to any newly self-proclaimed certified GDPR gurus.
2 – It’s Not A Big Bang
Too many users are gearing up for GDPR as if it was D-Day; you get all the landing craft together, storm the beach on the 6th of June (or May the 25th) and the work is complete. GDPR is not a deadline, it is a continual improvement privacy management process – it is an evolution of a way of doing things that tracks back to principles going back to the OECD guidelines of 1980, not a new way for your people to work and your processes to function. GDPR is evolution, not revolution. A much more fruitful approach is to see GDPR as another aspect of your risk management discipline; a strategic business requirement, in effect.
3 – Beware Any Silver Bullets
It’s a fact that no-one has a one-size-fits-all GDPR ‘solution’. There’s no such thing. There is a great deal of vendor hype out there about 100% GDPR fixes. Technology can help, but as point solution GDPR assistants, namely tools to take some of the client pain away as they manage this larger organisational evolution. Tools including consent management, PIA tools, GRC platforms, training technologies, security software, monitoring tools are all just one part of a wider solution. Sell your tools, but keep them in perspective of the wider compliance effort.
4 – Billion Pound Fines! We’re doomed!
A lot of the GDPR debate fixates on the 4% of global turnover/200m euro fine.
This is wrong-headed for two reasons:
1, that’s the worst-case scenario, a Facebook putting all its user data online level of problem. These are maximum fines for maximum disaster; most organisations will, should they face any issues, pay less according to the size and scale of the risk to individuals. It will also be a lot less in practice as the regulator will be looking to have a dialogue about what your procedures were; they want to see plans of how you prepared, responded, and what you will do to stop it ever happening again rather than putting you out of business.
And 2, beware; we hear too much about fines, and not enough about individual compensation. The recent Morrisons case should be on the radar, as it suggests there could be another financial penalty danger from data breaches – class action law suits for compensation. In Morrisons’ case that’s a payment of money to potentially 100,000 staff. If even £10 each, the figures mount up.
5 – Specifics, Schmespifics
Finally, there is much focus on the specific components of GDPR – consent, erasure etc. Again, it’s just too early to be this deep in the details: as stated above, we just don’t know yet. I also fear it gives the GDPR picture a misleading focus – organisations need to look at GDPR as a whole, and as a risk management, people and processes problem, not a get hung up on media driven issues and rights that may not apply. Starting with a data inventory and understanding your legal basis for processing will determine much about what you need to do, and what rights apply going forwards. As an example, the right to remove can only take place under very constrained circumstances, such as where you are holding data that is excessive, inaccurate, out of date, without legal basis – so if you are doing things correctly in the first place, there may be some things you never need to worry about.
So there are my five main GDPR myths busted. Never forget that your best source for information about GDPR is the source – here, at the EU site – but also at the UK Information Commissioner’s Office, here.
Finally, talk of the UK brings up the main privacy issue for this country, which is that GDPR is implemented into our local member state law via an upgrade to the 1998 Data Protection Act itself. The DP Bill has passed through the house of Lords and is heading down the corridor to the house of Commons – half way to being passed as law. That’s a topic for a another blog, of course.
We hope you found this useful, and speak soon.
Ralph T O’Brien is Principal at REINBO Consulting, a management consultancy specialised in privacy, GDPR and information security management services
A fellow of Information Privacy, CIPP/E, CIPM, CiISMP, Ralph has spent nearly two decades working at the intersection of privacy, security and risk management. Ralph is an experienced consultant, speaker, trainer, auditor, negotiator and manager. His key passion is in using his knowledge of privacy laws and information governance standards to help businesses develop and grow, engaging stakeholders, and delivering complex projects within the information governance sphere.