The reality of GDPR
As the first anniversary of General Data Protection Regulation (GDPR) approaches, has the doomsday scenario predicted by many come to pass?
There were similarities with the ‘Millennium Bug’ with the level of hysteria being whipped up in 1999, and the creation of widespread fear that computer systems would not be able to cope with the new date formatting, which would cause chaos around the world as sites and systems crashed.
As the May 25 deadline for GDPR compliance approached last year, swathes of emails flooded inboxes as companies worked to ensure they did not breach the new data regulations.
Graham Millar, Partner, Employment Law at Gilson Gray, believes parallels can be drawn between the two as neither caused the chaos predicted by many.
He said: “GDPR has been similar in a lot of ways to the hysteria surrounding the Millennium Bug, however although we are almost a year beyond the compliance deadline, only now are we beginning to see the full impact of the changes.
“There’s been a few meaty fines dished out to the larger companies, such as Facebook but for the majority of businesses, those in the small to medium category, the impact has not yet been felt.
“The whole ethos of GDPR was to force all companies who collect or share information on individuals to review their practices and procedures. Do not use the
‘just because’ or ‘we have always done it that way’ as a reason to justify some poor practices – take the time to put in place more robust procedures, with the rights of the individual being at the centre of those procedures.”
GDPR was brought in to modernise laws that protect personal information of individuals and give people more control over their details.
To be compliant, businesses must protect the personal data and privacy of its their staff and of anyone they perform transactions with.
Since its introduction, there has been a rise in the number of firms offering services as ‘GDPR experts’, something Graham urges caution over.
He added: “At present, the Information Commissioner’s Office are exceptionally busy, dealing with audits, complaints and the production of guidance, so the prospects of being involved in an ICO investigation for the vast majority of companies is still relatively low.
“The message is not to do nothing, and simply play the odds on the basis it might be some time before you are caught. If you are making genuine attempts to move
towards compliance, you are more likely to get the support and encouragement of
the ICO, rather than a fine. The ICO have made it clear their preference is to assist companies in reaching compliance, rather than immediately imposing a fine and confirmation of that attitude can be seen by referring to the enforcement section of the ICO website.
“Having said that, over the next few years, GDPR fines will become more common, as those organisations who have taken no steps are finally caught. Although the
fines can effectively close a business, the bigger issue for many companies will be the impact on the business reputation.
“As any enforcement action taken by the ICO is a matter of public record,
anyone Googling a business will immediately be referred to this enforcement action. Would you trust an organisation with your business if they cannot look after your personal data?
“That’s why it’s crucial businesses don’t bury their heads in the sand but instead use a trusted expert to ensure they’re fully compliant.
“Some people have set up as ‘GDPR experts’ to cash in on the fundamental changes to data protection. We have heard horror stories of clients paying thousands of pounds for a full GDPR audit, with the only recommendation being that they pay for an even ‘deeper audit’.
“You know your business best and with the right support and guidance, you
should take control of your own audit and putting in place your own implementation plan.
“Our award-winning team at Gilson Gray are well placed to breakdown the complex intricacies of GDPR and guide people through the process in a friendly and professional manner.”