Editorial

ICO warns UK organisations not to see GDPR as ‘another Y2K’

The biggest difference between this and the Millennium Bug crisis: ‘There’s no wondering if the new legislation will happen, says the Information Commissioner. ‘It will.’

Posted 3 January 2018 by Gary Flood

The Information Commissioner says misunderstandings about the best way to approach the May 2018 implementation of the EU-wide General Data Protection Regulation (GDPR) are causing confusion and delay in British boardrooms.

In an in-depth blog post published just before the Christmas break, the Commissioner, Elizabeth Denham, listed a number of what she and her team see as the biggest misconceptions about GDPR – the worst of which she sees as it being approached in the same way as ‘Y2K’, the changeover from two-field century to four-field century dating at the end of the 1990s.

Y2K, also known as the ‘Millennium Bug’, became controversial when few of the feared effects actually happened – though in retrospect, most commentators put this down to the work carried out, ironically enough, to prevent just such ill effects, which were feared would make older computer systems unstable from the start of January, 2000.

“GDPR is not the Millennium Bug – there’s no wondering if the new legislation will happen, it will,” warns Denham.

“But with that certainty comes an opportunity for good data protection practice to pervade your organisation. This will benefit not just your customers but your organisation, as well as it reaps the reputational rewards, allowing it to thrive in the new privacy landscape.”

So, she cautions, don’t think GDPR compliance is focused on a fixed point in time – but, she says, “GDPR compliance will be an ongoing journey… unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort.”
That’s because it’s better to see GDPR as an “evolutionary process for organisations”, she thinks, as 25 May is the date the legislation takes effect. but no business stands still. “You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.”
She does state that there will be no ‘grace’ period for GDPR, as there has been two years to prepare and the ICO will be regulating from this date – “But we pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR… Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”
In practical terms, that means being able to show you have been thinking about the essential elements outlined below and who is responsible for what within the business.
The ICO will also expect to see other forms of practical GDPR work, such as:
  • Preparation and compliance must be cross-organisational, starting with a commitment at board level. There needs to be a culture of transparency and accountability as to how you use personal data – recognising that the public has a right to know what’s happening with their information
  • Moves to document what personal data you hold, where it came from and who you share it with. This will involve reviewing your contracts with third party processors to ensure they’re fit for GDPR
  • Implementation of accountability measures – including appointing a data protection officer if necessary, considering lawful bases, reviewing privacy notices, designing and testing a data breach incident procedure that works for you and thinking about what new projects in the coming year could need a Data Protection Impact Assessment
  • Ensuring of appropriate security – you’ll need continual rigour in identifying and taking appropriate steps to address security vulnerabilities and cyber risks
  • Training of staff – Staff are your best defence and greatest potential weakness – regular and refresher training is a must.
“Yes, budgets can be tight, technology is moving fast and there’s a race to keep up with competitors,” she concludes.
“But if you can demonstrate that you have the appropriate systems and thinking in place, you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world.”