It seems there are only two ways to sell GDPR products and services:
- Tell everyone they are going to get fined €20M or 4% of their annual revenue; and
- Tell everyone that they only have until May 25th to get compliant or they’re in big trouble
These are both utter nonsense.
While the monster fines are a theoretical possibility (per Article 83), I would hope by that you know they will be reserved for the VERY worst offenders. If you don’t, read this from the UK’s Information Commissioner herself; GDPR – sorting the fact from the fiction. With my favourite quote being:
“Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.”
And not one of these 16 (0.09% of the total!) was anywhere near the maximum of £500K, so forget the damned fines!! Unless of course you work for a bunch of total scumbags like Keurboom, then I hope you get completely reamed.
Anyway, so here we are, less than 3 months away from May 25th, and the ‘deadline’ for compliance is the most prevalent scare tactic!
“Get compliant before May 25th or else!!” “Deadline fast approaching!!” “Trust me, I’m a certified practitioner!!”
The thing is, “or else” what, exactly? What do you think is going to happen on May 25th? That your supervisory authority is going to be banging on your door with cries of “Article 30!! Show us your records!!“? Do you expect to receive hundreds of requests for access from people who know even less about GDPR than almost anyone reading this blog? Do you think you’ll suddenly be the subject of a class action suit?
Do you think your supervisory authority even knows who you ARE at this point? [No offence]
I’ll tell you what’s going to happen on May 25th …not a bloody thing different. It will be business as usual.
However, what WILL happen from May ONWARDS is a gradual increase in how the GDPR is enforced in each member state. Guidance from supervisory authorities will increase in-line with the real-world issues they face; certification mechanisms will be released forcing all organisations to at least review and consider them; the general public will gradually come to expect the heightened protection mechanisms and vilify those organisation who are not up to speed and so on.
To put this another way; Data Protection law is not going away and cannot be ignored. By anyone. In fact, in light of things like AI/ML, Big Data and the Internet of Things, data protection is only going to become more embedded in everything we do. It has to, and you need to keep up with it.
So the more time that passes the fewer excuses you will have for doing nothing, regardless of the size / type / industry vertical in which your business operates. In the UK for example you are already 20 years too late to be proactive. The DPA has been out since 1998 and compliance to it would have covered the lion’s share of the GDPR. Which itself has been out for almost 2 year.
While I can sympathise with organisations fumbling around but doing their best, I have little sympathy for organisations who have done nothing. It’s these folks who should be the most concerned, not for May 25th, but every day after it.
Not one organisation out there is incapable of doing these 6 things before the ‘deadline’. Not to completion perhaps, but a good chunk:
- Find out where all your personal data is; – [even crappy questionnaires and interviews will get you most of the way there]
- Map that data to the business processes that created it; – [HR, Sales, Marketing and so on…]
- Agree on which business processes should continue as they are, which should change, and which should stop altogether;
- Get rid of all instances of personal data that do not support the agreed business processes;
- Obtain appropriate guidance on the lawful basis(es) for processing what’s left; and
- Commit, in writing, at the Board level, to achieving full compliance
While this is nowhere near a full demonstration of compliance, you have done 3 things that the ICO have every right to expect. You have:
- reduced your risk by minimising your threat exposure – you can’t lose or misuse what you don’t have;
- done your best to ensure that you are supporting the data subject’s rights – the whole point of this exercise; and
- MADE A BLOODY START!
I don’t care if you only achieve full compliance 5 years from now, and it’s unlikely the supervisory authorities will, if, and ONLY if:
- Your commitment is real;
- You have a plan; and
- You don’t get reported or breached
It’s up to you to do ENOUGH now to make sure 3. doesn’t happen, work on the rest when you can. Just make sure you can justify your timelines.
[If you liked this article, please share! Want more like it, subscribe!]
[Ed – It’s good to see that the message is getting out there, even across the pond; GDPR – Five Myths Debunked]