15 March 2018

Are you GDPR prepared?

With the new General Data Protection Regulation coming into effect on 25 May, Head of Commercial Emma Roe has considered what still needs to be done by many businesses to comply.

Are most businesses prepared for the implementation of the GDPR?

I think given the amount of coverage that the GDPR is getting, it would be hard for many businesses to claim they aren’t aware of the imminent changes in data protection law taking effect this May.  However, what remains striking is how this hasn’t yet translated into action for the vast majority of organisations. A recent survey I’ve seen shows a figure of 60% of respondents saying that whilst they are aware of the GDPR they haven’t yet started to do anything about it.  GDPR seems to be going into the ‘too hard’ pile for some people, which I think is a shame as I suspect lots of organisations will have been sufficiently compliant in their data handling to date to mean that the upgrade to GDPR compliance isn’t too big a leap.

For those yet to manage compliance, what is the most urgent step ahead of 25 May?

The best place to start is an understanding of what types of personal data are currently held, what processing is done with it and how is it kept secure.  The most significant question is: which condition for lawful processing is currently being relied upon in relation to each form of data being processed.  The majority of the conditions for lawful processing have actually stayed the same under the GDPR so, again, understanding which conditions remain in place and which are being relied upon forms the bedrock of achieving compliance under the new landscape and may even confirm that there isn’t too much change involve in approach. 

However, one significant area of change under the GDPR is the detail around the existing condition for processing of ‘consent’.  I’ve heard a lot of rubbish being talked about consent, including advice to some marketing teams that the condition of ‘legitimate interest’ can be used to justify all marketing activities without the need for reliance on consent.  I’m afraid this kind of advice is downright misleading.  It simply isn’t as black and white an issue as that – legitimate interest may be an appropriate condition for processing but not for all marketing and not without a bit of thought and consideration.

How likely is it we’ll see the financial penalties of the GDPR implemented come 25 May?

A fair bit of the more scare-mongering end of the GDPR coverage has focused on the significant shift in sanctions which the Information Commissioner’s Office (ICO) will be able to impose under the GDPR.  It’s fair to say, these penalties do represent a major change in potential exposure in technical terms and so can’t be ignored.  However, in my experience the ICO, as the regulator of data protection in the UK for the last 20 years, focuses very much on seeking to educate and work with organisations who are trying to get things right, rather than rushing to fine for any and all breaches.  For them, it is the organisations with a clear cultural and, often, long-standing or repeated disregard for personal data that get the real impact of their fining powers. I don’t expect that approach to change dramatically, even if the figures might rise a little in due course. 

I don’t expect the ICO to rush to impose fines on organisations that they’ve never had reason to have on their radar before 25 May 2018.  However, it is worth bearing in mind that we’ve had a two-year transition period from when the GDPR first came into force in May 2016.  So, I suspect there will be limited patience from the ICO when they first start engaging with organisations who have made no apparent effort to try to reach a compliant position. 

How do you think the GDPR is likely to change the data protection landscape? Is this regulation going to better protect consumers, create a more defined market for data, or both?

I think the clear aim of the GDPR is around improving consumer awareness as well as the consumer protection afforded by regulating the handling of personal data.  It’s a move that is, I think, in tune with the technology developments and globalisation of data which have made us all a little bit more conscious of where our own personal data is and who has access to it. 

I’m hopeful that a more consistent approach and level playing field will also be a key practical outcome of this change in the law.  Compliance with data protection laws has always seemed to be patchy to date, with some sectors falling significantly behind others in respecting the position of the individuals whose data they handle.  The market for data has been a murky world in some industries and that just isn’t good enough with the technological tools and regulations we now have available to us.  I think those organisations getting it right under the GDPR will really benefit from the increased customer trust and brand recognition that comes from taking a transparent approach to compliance.

For more information, please see our Data Protection and Privacy page where you can download our GDPR ‘Getting it right’ brochure.