A recent study has shown that 65% of companies are not ready for the GDPR with 60% of large companies and 55% of SMEs concerned about GDPR compliance.
The report by big data “guru” Jeff Jonas is one of several recent reports which indicate that either the level of GDPR readiness is low or that the level of awareness about the GDPR and/or key features of the GDPR is low.
What’s it all about?
The GDPR comes into force on 25 May 2018. It brings with it a number of changes to the data privacy laws across Europe and places a significant burden on companies to comply and to demonstrate that they are complying with the new regime. Changes brought in by the new regime include:
- A requirement for businesses to be transparent about what data they have and what they will do with it;
- Enhanced rights for data subjects including the right to request a copy of any data held, free of charge and in an electronic format;
- The need for some organisations to appoint a compulsory Data Protection Officer;
- A tightening in the way that consent to process a person’s data may be collected;
- A new obligation to report breaches both to the regulator (in the UK’s case the Information Commissioner’s Office) and to the data subjects;
- Fines for non-compliance of 4% of worldwide turnover or Euros 20 million.
How do I comply?
This will depend according to the nature of your business and the data you hold. There is no one size fits all, but in most cases the journey to compliance will start with an audit or review of the data that you hold. Many businesses will find that much of the data that they hold is simply unnecessary or is now out of date and procedures and policies can be put in place for the remaining data as well as any new data.
Compliance will also never be a simple matter of filling out a form or putting a policy in place. It will require work from a number of areas of the business and it is often a good idea to appoint data protection champions from a number of key areas of the business, as well as ensuring that there is buy-in from the business at a high level. It need not involve large amounts of input from lawyers or consultants but in most, if not all cases, compliance will need some level of professional guidance or advice.
What is the deadline?
The GDPR comes into force on 25 May 2018. Strikingly, there is no transitional period for compliance with the official position being that the GDPR itself has been finalised for 2 years and there has been plenty of time to comply. More pragmatically, it is likely to be very difficult for most businesses to comply completely by 25 May 2018 but what is important is that businesses have a plan in hand and are working towards a compliant position.
Equally important is the need to view GDPR not just as a tick box exercise or presenting a need to comply at a given date, but as an opportunity to permanently change the way the business deals with data. Businesses should use GDPR as a means to effect a cultural change in the way that it handles personal data. It is more important that this fairly deep routed cultural change is effected rather than a business rushing through a series of short term and superficial measures ahead of 25 May 2018.
Myths and misconceptions
As with all major regulatory changes the GDPR has spawned a whole industry in compliance. It seems almost impossible to go for more than a few minutes without receiving an email about GDPR – whether about a new software product promising to streamline your GDPR compliance process, or from a consultant or training company offering GDPR related services.
It follows that with so much print dedicated to GDPR, a number of myths and misconceptions have built up. The most common include:
It is necessary to have consent to do anything with data;
Marketing is no longer possible under the GDPR;
Huge fines will be levied on all breaches of the GDPR;
All businesses must appoint a Data Protection Officer;
It doesn’t effect me/it’s just another Y2K style problem which will be over soon;
All data more than 6 years/3 years/1 year old must be deleted.
All of course are entirely false.
There is no avoiding the GDPR and the fact that it has implications for all industries. It does need to be taken very seriously and there is a lot to do.
It is however important that businesses take a sensible approach to compliance which reflects both what the GDPR actually says and the risk profile of each business. For example the measures to be taken by a business holding millions of highly sensitive medical records will be very different to a small business with limited staff and a handful of customers. Both will need to make changes but in practice their responses are likely to look very different.
Edwin Coe LLP is a limited liability partnership registered in England and Wales (No. OC326366) and is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office: 2 Stone Buildings, Lincoln’s Inn, London WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing. Our privacy notice which we are obliged to give you under the GDPR is available here.