(but try to get it right in the end)
By now I expect most people reading this will have heard of GDPR (The General Data Protection Regulation). It passed into EU law in April 2016 and comes into force on 25th May 2018 across the EU - including in the UK. Despite Brexit it will form the basis of UK data protection law for the foreseeable future, so it has to be taken seriously.
The implications of GDPR
GDPR has significant implications for how organisations use personal data and how they keep it secure. In some aspects (such as consent requirements, data subjects’ rights, automated processing of data and penalties for non-compliance) it is very different from the Data Protection Act 1998 (the previous law). In other respects (such as the basic data protection principles) it is very similar or only a moderate evolution. There is also a new Data Protection Act coming in late 2018, which will make further changes (including reducing the age at which a minor can give consent from 16 to 13).
I keep hearing (usually from those who only started preparing close to the implementation date) that it is a “nightmare”, “over the top” and that compliance is a huge bureaucratic task. For some that may well be true but for many it will not.
I’ve seen lots of inaccurate information in the media, lots of knee jerk reactions (even from very large organisations) and lots of scaremongering by self-professed experts trying to drum up business. Myth-busting is important (for example you don’t always - or even often - need the consent of the data subject to process their personal data).
So my key message (in true Douglas Adams style) is:
What the ICO thinks
And the Information Commissioner agrees with me. As her newsletter of 3rd May 2018 said:
"To small and micro businesses, clubs and associations who are not quite there, I say … don’t panic! ...we pride ourselves on being a fair and proportionate regulator. That will continue under the GDPR. 25 May is not the end of anything, it is the beginning, and the important thing is to take concrete steps to implement your new responsibilities..."
I find that for many (particularly smaller organisations), it is not that they will become non-compliant on 25th May 2018 but rather that they never were compliant in the first place! Let’s face it, if that’s the case and the world didn’t fall apart before 25th May, it probably won’t fall apart after 25th May either! Granted there is some increased awareness of data protection as a result of GDPR implementation so the risk of challenge/complaints may be higher but you need to keep it in perspective. As a lawyer speaking at a conference I attended recently said, “GDPR compliance should be seen as an aspiration rather than a destination”!
What should you do about GDPR?
First, do your homework; find out the truth about GDPR. The Information Commissioner’s Office is a good place to start (see https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/).
Take a considered approach; think about the risks for your organisation. High risks are likely to come in areas such as use of sensitive data, marketing or other areas where you are likely to need consent, unsecured data or if you are processing data in ways the data subject might not expect (or like). This isn't an exhaustive list; you need to think about your specific circumstances.
Then put together a plan for how you will move towards compliance; a good starting point is the ICO’s helpful publication Preparaing for GDPR: 12 steps to take now (https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf). In larger organisations you’ll need to get senior managers to buy into the need to tackle this (if they haven't already) and then train everyone (it can’t be left to one person).
Keep your GDPR response proportionate
Keep your plan and timescales proportionate to your organisation's needs, the risks it faces and the capacity available for you to do the work. Of course you need a plan that takes you to compliance but if you haven’t sorted GDPR out by the time you read this you won't be able to think of 25th May as a deadline - it has probably passed anyway.
Depending on your circumstances it may be a big and complex plan or it may not be. Either way don’t panic and rush to do it all at once; be realistic. Work as quickly as you can but be methodical and tackle the biggest risks first (e.g. public facing material such as privacy policies on documents and websites). You will get there in the end but this work should not dominate to the point that you lose sight of bigger risks to your organisation or to your beneficiaries (after all, serving them is why you exist!).