GDPR... careful with 'compliance'

With 25th May getting uncomfortably close, it’s time to revisit the subject of a previous article: the General Data Purpose Regulation (GDPR) that comes into force on that day, and will have a profound impact on any organisation that processes personal data.

On the face of it, it might seem to be very large multinationals that have the most to worry about: they hold many millions of personal data records, share a lot of them with partner organisations, regularly transfer them across borders and are prime targets for cybercrime. Yet size has its benefits: these businesses already have dedicated experts in database design, cybersecurity and legal compliance, and can almost certainly afford to hire more as needed. In contrast, sole traders and those in small or medium sized organisations may be facing data risks on a much smaller scale but have correspondingly fewer resources to meet the new requirements.

Over the past few months I’ve been talking to colleagues in small businesses/organisations across a range of sectors about how they will meet the challenges of GDPR. Some are doing what they can to learn all the skills and absorb all the extra workload that GDPR will bring (at least in the short term). Most feel able to tackle some parts of the job themselves but will buy in expertise from consultants in certain areas. Others plan to rely almost entirely on outside help.

There’s no definitive ‘right approach’ to GDPR for a small organisation. However, if you’re responsible for getting a small organisation ready for GDPR, then I would advise that your responsibilities as a data controller cannot simply be outsourced. It’s a good idea to bring in expert help where you need it, but it’s important that you take ownership of the whole process and work to understand it. This isn’t like the ‘Millennium Bug’ – you can’t put in a one-time fix and then breathe a sigh of relief. GDPR brings in a new way of working with personal data, and there is little point having a lot of external help getting you “compliant” by 25th May only to find you’re then on your own and don’t know what to do when your next project starts.

I also think a word of caution is due about the very phrase “GDPR compliant”. The GDPR is peppered with words like “reasonable” and “proportionate”. Just how these should be interpreted will be determined over the years by rulings from supervisory authorities or the judiciary, but right now nobody can say for certain that they can make your business “GDPR compliant”. Rather, we need to recognise that the best we can say with any certainty is that we are taking all reasonable steps to reduce the risks of non-compliance to acceptable levels.

In one way that might not sound very reassuring: big scary legislation is coming, and we’re not being told how to definitively meet it! But actually, it means that if a business or organisation can demonstrate it has looked at its data protection responsibilities and made reasoned decisions for how it meets them, it is very unlikely to run into serious problems with its supervisory authority (in the UK, this will be the ICO, the Information Commissioner’s Office) – even if those decisions are later shown to have been flawed.

Personally, when I work with sole traders or small enterprises that need help with GDPR, I’m keen to break down the Regulation’s requirements to the fundamentals and make sure these are understood by my clients. Then I can take them through simple, practical steps to work out what they need to do with the data they hold and the data processing activities they want to undertake. Gaps in their policies and procedures soon become apparent and can then be quickly addressed. Yes, this means some extra work, but much of this effort is upfront and results in resources that can be drawn upon repeatedly in the future.

The eventual aim is to get people to a point where, not only are they confident they have taken all reasonable steps to comply with their data protection responsibilities, but they have the understanding to adapt and evolve their practices as new projects start and new problems are encountered.

If I can achieve that, then I’ll be happy – and so, I think, will they!