GDPR—Really?

The most common questions to our 24-hour helpline this month have been about GDPR and what companies should do to become compliant. Whilst the clock is running, with “G-Day” being 25 May 2018, there is still time for companies to get up to speed on the new regulations.

GDPR has caught a few businesses by surprise and left others completely bewildered.

On a larger scale, thousands of parents expect to demand their children’s GCSE and A-level papers through SAR requests; businesses are planning to stop working with companies outside Europe; many bosses are burying their heads in the sand; and others are driving themselves bonkers moving meeting rooms, blacking out windows, banning white boards, and asking staff to sign official secrets acts and password protect holiday requests. So, are these regulations here to stay? Who can police compliance for the whole of Europe and what happens if you get it wrong?

GDPR is less about the details and complexities of specific agreements, notices or assessments, and more about a change of culture and the way we work with and respect a data subject’s privacy. And, while GDPR affects almost everything we do, every document we look at or process, and how we operate across organisations, GDPR can surely be a positive and safe way for employers to care for employee and data subject information.

We all know and appreciate how great the required changes are. However, learning from each other’s tips and processes can help. The new rules on privacy are the first time an employee has been in control of their data (rather than employers under the previous Data Protection Act 1998) but this doesn’t require a complete overhaul of contracts of employment, policies or existing rules.

Showing a clear understanding of your work processes (data mapping), the regulations (applying lawful purpose), how regulations apply (storage, retention, and deletion) and having the correct notices, consents and information in place (privacy notices, processor agreements and data protection policies), you’re half way there.

By proving you regularly train staff and update them in GDPR, that staff understand the breach reporting process, you keep adequate records (third party suppliers, asset, and breach registers, etc.) and you appoint a data manager, you’re essentially done. No?

The ICO issued guidance stating their main role is to support, not punish in the first instance, so it’s clear the biggest risk to employers working towards compliance isn’t that the ICO will knock on the door (although still a potential risk) but rather those not compliant are at risk from disgruntled employees (or ex-employees) as whistle blowers.

GDPR rules and regulations aren’t going anywhere. So, despite the time and costs involved (which is no excuse for noncompliance) whether businesses are seeking a cultural overhaul, want to achieve total compliance, or protect themselves from unhappy stakeholders, working energetically toward compliance really can’t be such a bad thing.