So, here we are, a month after the General Data Protection Regulation was enforced. And so far, no data apocalypse. No multinationals crashing under the weight of astronomical fines, no flurry of ‘plucky-little-guy-who-knows-his-rights-versus-the-Powers-That-Be’ legal cases, no cricket clubs closed down for posting Sunday’s team on their noticeboard without evidencing consent. How can this be?
Well, for a start GDPR is more of an evolution of existing legislation than a revolutionary paradigm shift. If, as a business, you were getting along ok with the Data Protection Act, you’re probably getting along ok with GDPR. Secondly, it will take time for the legislation to bed in: important legal challenges that establish case law will take months or even years to come to court. And thirdly, despite the focus on the starting date of May 25th, the advent of GDPR wasn’t (as I’ve said before) a one-off event like the Millennium Bug. Rather, it was much more like the Health & Safety at Work Act that was introduced in 1974 and has been in force ever since. GDPR marks a new way of working with personal data that will be with us for a long time to come.
Ok, you might ignore Health & Safety regulations and get away with it for a long time, with a bit of luck. But any business that sticks around long enough will suffer a work-related injury eventually, and that’s when you’ll get into trouble. Possibly quite serious trouble, because you’ve been breaking the law. It’s the same with GDPR – if you’re around long enough, you WILL suffer a data breach. But if you’ve taken reasonable actions to comply with the law then a) that breach is a lot less likely to happen in the first place and b) your encounter with the ICO will probably be quite positive.
May 25th wasn’t the cataclysmic event that was hyped by some, but nor was its passing a reason to breathe a sigh of relief and carry on as before. Hopefully, your business is more-or-less there regarding GDPR readiness. Now is the time to finish off any bits and pieces you didn’t get around to and think about how to build an awareness of data protection regulations and general good practice into the culture of your organisation.
Article 32 of the GDPR is instructive here, stating as it does that data controllers and data processors should implement “…a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” In other words, now we’re over the panic, let’s not get complacent.
While clients are still coming to us at Aethos asking for help with Privacy Policies, Data Flow Maps and Data Protection Impact Assessments (and we’re happy to!), our focus is now moving towards helping organisations review and test their systems in a painless, cost-effective and totally apocalypse-free way.