GDPR: Stop rushing and get it right
- Credit: Archant
The new GDPR regulations come into force this spring, but there’s no need for businesses to panic. Darren Sherborne, of Sherbornes Solicitors Ltd, explains what to do
On the May 25, 2018, new regulations come into force concerning data protection. If you haven’t heard, the General Data Protection Regulations (“GDPR”) will impose considerable financial penalties for those who fail to comply. At least, that’s the headlines. The same headlines warn us that compliance is very difficult, and that time is running out. Of course, these make great headlines, and “experts” such as myself are gearing up for the influx of work as frightened business leaders race to comply. Add a little perspective to the pot and the reality may be a little different.
It is true that the new Regulations are complex and not easy to understand. It is also true that the Regulations set out financial penalties of up to 4% of turnover for any errant organisation. However, the Information Commissioner (a nice lady from Canada) has been expressing some frustration with the advisory industry for what has been described as scaremongering. I would go as far as saying that some of the commercially induced panic is actually doing more harm than good and I urge any business to stand back and ask whether their response to the new Regulations is properly thought through.
The reason for a slightly slower, more considered response are as follows:
• The Regulations have come about as a result of a European Directive. That cannot have force in English Law without an act of parliament. That act of parliament, at the time of writing (January 2018) is not yet finished. In other words, things may yet change.
• The Information Commissioner (ICO) has said, repeatedly, that her office will not be rushing out on the 25th May and begin prosecutions. In fact, the ICO has said the opposite. She has said that for the first year she expects business to prepare, but as long as they comply with the last Data Protection Act (1998) properly, it will not be a problem.
• It is also important to have some perspective on the ICO, which in the vast majority of cases only levy fines as a result of organisations self-reporting breaches. The ICO has also been less than a runaway success in its litigation. In fact one barrister told me that the ICO success rate in litigation is almost zero.
- 1 WIN a holiday to the Isles of Scilly worth £1000
- 2 Win a 2 night beach stay at The Beachcroft Hotel in Sussex
- 3 20 of the best places to eat out in St Ives
- 4 WIN £500 worth of preloved designer clothes
- 5 23 cottages that will make you want to move to Surrey
- 6 6 waterfall walks in Derbyshire and the Peak District
- 7 20 of the best restaurants in Hertfordshire
- 8 9 lovely beaches in Cornwall that allow dogs all-year-round
- 9 WIN a stay at Hornington Manor's new shepherd huts
- 10 Beautiful places to go wild swimming in Suffolk
• One of the most important reasons for a considered approach is the nature of one of the restrictions. In order to process personal data, you will have to publish the reason for processing it. For the vast majority of processing, the reason for allowing you to process the data will be “consent”. However, once published, you cannot then change that reason, without going back to the data subjects and getting fresh consent. Therefore rushing and getting the reason for processing wrong will leave an organisation having to do the whole process again.
There is no doubt that the new Regulations are onerous and complex. However, there is every reason not to rush attempts at compliance. After all, the act of parliament is not even finished.
Simple initial steps can get you thinking along the right lines. Examine consent and the process you use to get consent (for processing data). It can no longer be by means of a pre-ticked box, or lost in terms and conditions. It will need to be a separate document, that people can opt into, not out of and the mechanism for withdrawing consent will need to be just as easy as it was to provide consent.
Think also about transmitting sensitive data. You will need a process of protecting it during transmission. That may be encryption or some other method, but don’t just buy a policy off the shelf and then not follow it. If you do this, you will be wasting the one year grace period the ICO is giving, which could be used to try and test procedures, so that compliance does not become the rushed minefield that some organisations are apparently wading into blindly.
Darren Sherborne is a Senior Employment Solicitor at Business law firm Sherbornes Solicitors Ltd in Cheltenham.