Business RegulationData ProtectionGDPR

It’s Squeaky Bum Time for GDPR


Squeaky Bum Time

To coin a phrase from Sir Alex Ferguson, it’s squeaky bum time as we approach 25th May and G-Day.

Two years in waiting and the day will soon be upon us when Regulation (EU) 2016/679 finally becomes law.

Are we ready?

Depends who you ask!  There are numerous surveys indicating that the state of readiness is very patchy but typically we are looking at anything between 30-50% of businesses believe they are ready for compliance. A previous blog post provided some insights.

If you are one of the many, who are not prepared.  Then you are not alone.  Even Her Majesty’s Government are leaving it a little late.  The first reading of the new Data Protection Bill took place in September last year, and as we enter May the bill has still to get pass Report Stage and onto the 3rd Reading.  There are a number of amendments proposed to the bill, so the 3rd Reading promises to be an interesting affair.

The bill will get onto the statute book, but I would not be surprised to see it become another “last minute” addition.  This is just one of the many bills going through Parliament. With everyone seemingly focussed on “Brexit”, it appears GDPR has taken a back seat of late.

Mixed Advice Forthcoming

When I look at the “advice” on offer from GDPR “experts”, there are differences of opinions. This is to be expected.  Definitive advice will come from either the ICO (Information Commissioner’s Office) or the courts.  As with any new piece of legislation, it takes time for case law to build up.  Consequently, as a result, we see a proliferation of consultants and companies offering you “advice”.  With all “advice” regarding legal obligations, there will be a disclaimer that goes along with it.  If in doubt consult your legal advisor!   No surprises there.

It’s life, Jim but not as we know it.

The point to make here is that in the main GDPR is nothing new.  In the UK, we have the Data Protection Act 1998(DPA).  In the main, the requirements of the DPA remain fundamentally the same in GDPR.  GDPR extends the provisions of the DPA.  The DPA will be repealed by the new Data Protection Bill, and the bill incorporates the provisions of the GDPR into UK law.

If your first response was, “what is the Data Protection Act 1998?”, then you might face more challenges checking your GDPR compliance.  On the other hand, if you as a business are aware of your requirements under the DPA you should be in a “good place” for GDPR compliance.

Many of the DPA fundamentals remain the same.

Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process.

Sage and Onion Advice

As outlined earlier, the level of “readiness” for businesses is pretty low.  Albeit the survey results are a few months old, I would be very surprised if there has been a significant shift in the position.  The fundamental questions that a business needs to understand is as follows:

  1. Do I know what “data” I am holding?
  2. What my legal basis for holding this data is?
  3. Where did I get this data from?
  4. Do I know if I pass this data onto anyone else?

Yes, it might be squeaky bum time, but it is never too late to make a start.

A really good guide to use is this one from the ICO.

To quote Elizabeth Denham from a recent speech

DP-Day – is only 27 working days away. But 25 May will merely mark the end of the beginning of a very long journey for the data protection community.

alongside the pragmatic approach from the ICO

I have no intention of changing our proportionate and pragmatic approach after 25 May. My aim is to prevent harm, and to place support and compliance at the heart of our regulatory action. Voluntary compliance is the preferred route.

Some ground rules laid out, businesses should not worry too much, so long as you are taking steps.  Small steps are preferred to none at all.

Next up, an article outlining the approach I have taken as part of work undertaken for a “Non-Profit” organisation.