The day is finally upon us, the GDPR has landed and the new regime of data protection has begun. If you have survived the scaremongering, the frantic rush to update your privacy notices, contracts and internal policies and procedures to ensure compliance by today, then you have done well.
You are almost certainly one of the large majority of businesses whose preparations are not quite complete. Indeed you would be unusual and very possibly unique if you could say that you were fully GDPR compliant. As the Information Commissioner’s Office (ICO) reminds us this is a process of evolution as opposed to revolution and, consequently, compliance will be an ongoing process. The key thing is to have a sensible plan which is proportionate to the amount and nature of data that your business processes and to be able to demonstrate that you are working through that plan.
Myths and Misconceptions:
The GDPR is undoubtedly going to change the legal landscape in a dramatic way, bringing the legislation surrounding data protection into the 21st century. However, as with every significant regulatory change, there has been a vast array of myths and misconceptions appearing.
Arguably the most common of these myths and misconceptions is that, as of today, consent will be required in order to do anything with data. This is simply not the case and as the ICO stated in their blog accompanying their finalised guidance on consent, which can be found here, ‘…consent is not the silver bullet for GDPR compliance’.
Other common myths include:
Marketing is no longer possible under the GDPR
Every breach of the GDPR will attract the maximum fine
Brexit means UK businesses do not need to be compliance
A Data Protection Officer must be appointed by every busines
The GDPR only applies to European organisations.
These are of course incorrect.
Whilst the importance of the GDPR is undeniable, the most significant thing is for you to be able to demonstrate that your organisation has a plan in place and is working towards compliance by implementing necessary policies and training, with a paper trail to evidence this.
Although the key principles of the GDPR will be the same for every business, focussing predominantly on increasing organisational transparency and accountability, in practice, the necessary steps to be taken will vary greatly between organisations and will likely require some level of professional guidance or advice. Nevertheless, the majority of businesses should begin the process by conducting an audit or review of the data that you hold and whether this data is still necessary and up-to-date.
Watch this space for further information and updates on the early stages of the GDPR regime.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.