On the 1st January 2018, GDPR will no longer be coming next year, it’ll be a few months away!
At this point, you’ve heard the headlines: the massive fines, the extra compliance and lots of talk about consent. If you’re already active in getting your organisation in shape for the change in law, you’ve probably noticed that, actually, it’s much more of an intrusion than most of the GDPR articles make it seem. Because of that, there are some things we just don’t want to deal with – at least, not the way the letter of the law actually prescribes.
Not everyone is behaving themselves…
One of the obstacles to GDPR compliance is the current state of compliance with the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR). In comparison to the GDPR, the DPA permits relatively policy driven compliance, where the GDPR is much more activity driven. The brutal truth is that many of us are able to duck under the bar of strict data protection compliance by saying one thing and doing another (so long as what we do doesn’t attract attention!).
Not only this, but the current system of enforcement (there are relatively few fines each year, compared to the number of companies breaking the law!) is one that can often make it worth taking the risk.
Much fuss has been made about the potential fines that you could receive if your organisation breaches GDPR. Perhaps rightly so; not simply because of the size of them, but also the ease with which you can be caught under GDPR in comparison to the DPA. They say that the biggest driver in compliance is the likelihood of getting caught – on this basis, our current attitude towards DPA compliance is the thing putting most organisations at risk under GDPR.
The existing law is still law (and some of it’s not going away!)
The attitude mentioned above has already put companies, including Honda, in the ICO’s firing line. Honda’s attempts earlier this year to achieve GDPR compliance were found to have been made with disregard for the PECR, highlighting that their data protection practices hadn’t been in-line with the current legislation. This was a particularly illuminating case as the PECR will continue to be applicable under GDPR. Contravention of the PECR under GDPR could, at worst, incur the highest fines.
It’s not just about getting it right, it’s about putting in the work
Even down to some of the most fundamental new processes under GDPR, there’s extra work involved. That’s because pretty much everything to do with handling personal data must be justified and evidenced.
Yet still, we’ve dealt with and/or advised organisations (some of whom operate as sellers of personal data) that have glossed over certain aspects of their compliance with potentially devastating consequences. Weighty tasks, such as identifying ‘legitimate interests’, have been met with single sentence answers and no documentary evidence. The door has been left wide open for regulatory action.
These are some harsh truths about the GDPR, and further still, there are unlikely to be any safety nets. Though the ICO has tendency for pragmatism over being punitive, the GDPR mandates that fines should be ‘dissuasive’. On top of that – though it’s yet to be tested – it’s unlikely that insurance will cover regulatory enforcement penalties, leaving ‘breachers’ on the hook.
It’s not all doom and gloom!
As ever, the Devant team are on hand to help business owners with our GDPR analysis workshop which will give you a tailored action plan for GDPR readiness. Having taken ourselves through ‘the GDPR process’, we know the pain it can bring, but also the great reassurance of knowing you’re not at risk, with the evidence resting in your hands. Contact us if you’d like a practical approach to your GDPR readiness.
Fraser Gleave
Junior Commercial Contracts Consultant
