The Information Commissioner says misunderstandings about the best way to approach the May 2018 implementation of the EU-wide General Data Protection Regulation (GDPR) are causing confusion and delay in British boardrooms.
In an in-depth blog post published just before the Christmas break, the Commissioner, Elizabeth Denham, listed a number of what she and her team see as the biggest misconceptions about GDPR – the worst of which she sees as it being approached in the same way as ‘Y2K’, the changeover from two-field century to four-field century dating at the end of the 1990s.
Y2K, also known as the ‘Millennium Bug’, became controversial when few of the feared effects actually happened – though in retrospect, most commentators put this down to the work carried out, ironically enough, to prevent just such ill effects, which were feared would make older computer systems unstable from the start of January, 2000.
“GDPR is not the Millennium Bug – there’s no wondering if the new legislation will happen, it will,” warns Denham.
“But with that certainty comes an opportunity for good data protection practice to pervade your organisation. This will benefit not just your customers but your organisation, as well as it reaps the reputational rewards, allowing it to thrive in the new privacy landscape.”
- Preparation and compliance must be cross-organisational, starting with a commitment at board level. There needs to be a culture of transparency and accountability as to how you use personal data – recognising that the public has a right to know what’s happening with their information
- Moves to document what personal data you hold, where it came from and who you share it with. This will involve reviewing your contracts with third party processors to ensure they’re fit for GDPR
- Implementation of accountability measures – including appointing a data protection officer if necessary, considering lawful bases, reviewing privacy notices, designing and testing a data breach incident procedure that works for you and thinking about what new projects in the coming year could need a Data Protection Impact Assessment
- Ensuring of appropriate security – you’ll need continual rigour in identifying and taking appropriate steps to address security vulnerabilities and cyber risks
- Training of staff – Staff are your best defence and greatest potential weakness – regular and refresher training is a must.