With GDPR only a few months away, the number of papers, seminars and news reports available on the new regulation are growing in number. Can you sort the facts from the fiction? We have fact checked some of the most common myths of General Data Protection Regulation (GDPR) in our latest blog.
‘GDPR is completely new – we are going to have to start from scratch’
While some areas of GDPR can be considered a new requirement, the fundamental principles of the new regulation are based on the original EU Data Protection Directive (DPD) of 1995. In the UK, the DPD was implemented as the Data Protection Act 1988, which all organisations handling personal data are legally obligated to comply with. As a result, the majority of organisations are likely to already have a foundation of data protection compliance and should therefore consider GDPR as an enhancement of the original act, rather than some revolutionary new regulation.
Key changes to the regulation are covered in our helpful GDPR guide which you can download here. The Information Commissioner’s Office website is another valuable resource of information for all GDPR queries you may have.
‘Brexit means we don’t have to comply in the UK’
Brexit has caused a lot of uncertainties in many different areas of business, both locally and internationally. In the UK, while many aspects of our exit from the European Union have not been confirmed, our compliance with GDPR is not one of them. The new regulation will affect any organisation that collects or processes the personal data of EU citizens or those residing within the EU.
The UK Government’s proposed Data Protection Bill is the update to our original Data Protection Act and promises to bring our data protection laws up to date. It is understood that the Bill will largely bring EU law into our domestic law, meaning that regardless of continuing negotiations, UK companies need to adhere to GDPR.
Updates on the new Bill as it progresses through parliament are available here.
‘As long as GDPR is implemented by the 25th of May 2018, we will be compliant with the law’
Clearly being compliant with GDPR by the May 2018 deadline is what all organisations should be aiming for. But what happens on the 26th of May and beyond? GDPR shouldn’t be considered as a project with a defined end date. In reality, once you have reached compliancy, there will be a constant need to update and review practices to maintain and continue best practice. Data Protection Impact Assessments (DPIA) are an example of this, whereby any new practice, software or processing technique is assessed fully prior to use, minimising any potential risk to an individual’s data privacy.
As organisations grow and evolve, their data protection and overall security policies and procedures will need to as well. It is best practice to support a culture of data protection and security, including providing regular training and awareness for all staff dealing with personal data.
‘GDPR is an IT issue’
Placing the responsibility of GDPR compliance on any one department is not going to get the best results, nor will it support an overall culture of data security. Technology does play a key role in the infrastructure and success of many businesses, but technology alone will not satisfy all GDPR requirements. It is important that during the initial implementation phase not to get caught up in software which promises to be GDPR compliant and assuming that it automatically makes your processes compliant as well.
There is an ongoing debate as to who should lead the GDPR implementation programme, but it is agreed that GDPR compliance is the responsibility of everyone within the organisation, including senior level executives. Key departments which handle and process highly sensitive and personal data including finance, legal, HR and marketing, will all need to be aware of their own accountability and responsibility. Dedicated training and awareness campaigns are vital to ensure all employees understand how their behaviour can impact data security.
Under GDPR, some organisations may also require the appointment of a Data Protection Officer (DPO). Acting independently from the rest of the business, the DPO is the first point of contact for all GDPR queries and reports into senior management. The ICO website explains in detail both the criteria for needing a DPO as well as their full responsibilities. Regardless of whether you are legally required to have a DPO, the collaborative working of the c-suite with each department within their organisation is a key success factor of implementation and continued compliance.
‘GDPR is going to be really costly, both in the short-term and long-term’
The implementation of any new procedure or process is likely to incur some level of cost, however in GDPR terms, the fines for non-compliance far outweigh that of implementation.
The way organisations approach GDPR and their level of strategic planning will all have an impact on how much they end up spending. For example, GDPR advocates a ‘privacy by design’ approach to data protection and overall security. By placing privacy and data protection at the forefront of the design and implementation of new systems, organisations can avoid the expensive and often inefficient ‘bolting on’ of privacy as an afterthought.
Expenditure on GDPR measures should really be considered an investment, rather than an expense. Putting the effort in now to ensure all new systems are GDPR compliant will have significant long-term benefits, even there are upfront costs. Avoiding increased penalties for non-compliance and data breaches are just one benefit from being compliant. Data led decision making should be more accurate under GDPR due to customers’ active consent for communications. Their engagement and feedback allowing the provision of tailored products and services in a highly competitive global market.
Overall, committing to a security culture will be cheaper in the long run, particularly when you consider the maximum fine of €20 million or 4% of annual global turnover that the ICO is able to enforce.