There are two persistent myths about the GDPR that have thwarted many efforts towards compliance. First, that the regulations are really complicated, and second, that after 25th May your compliance efforts should be all done bar the shouting. Neither of these myths reflects reality, but I think they have arisen for understandable reasons.
The first barrier to progress is the presentation of both the GDPR and the UK Data Protection Act 2018 (DPA). Each in its own way is hard to read. The GDPR puts all the explanations at the beginning and all the obligations at the end, and the DPA contains three parallel pieces of legislation for different categories of data controller and relies heavily on schedules at the end that cross reference confusingly to the body of the Act. In short, they were both written by lawyers for lawyers, and ordinary mortals have a hard time gaining a holistic view of their obligations from them. Nevertheless the obligations imposed by the legislation are conceptually simple and obvious - be aware of and declare what you’re doing, operate with the interests of your data subjects at heart, and minimise opportunities for error, accident and abuse.
The second barrier is that ‘compliance’ in quotes is normally seen by businesses as something aside from and independent of everyday activities - a function essentially aimed at passing periodic audits. This is a common approach to voluntary certifications such as ISO 9001, but the GDPR falls into a quite different realm - that of statutory obligations, alongside taxation, anti-money laundering, and safeguarding. Consequently, it not only has to be nominally complied with, but must be demonstrably operative at all times, because fulfilling its requirements is not optional.
This may at first sight seem hard, but all it means is that fulfilment of the relevant obligations must be built into everyday business processes. This is what the GDPR means by ‘data protection by design and by default’. Once the need for this has been recognised, it becomes clear that compliance must permeate the entire culture of the organisation, rather than being vested in an independent compliance officer or function. And it means you can’t outsource compliance - you can take external advice on it, but you remain liable for all its aspects and outcomes.
The bottom line is that GDPR is not a nightmare or a nuisance. It’s just another example of a growing and desirable trend towards formalising corporate accountability. Despite the legislation only being concerned with ‘privacy’, the fundamental principles that underpin it are the same as those required for robust corporate governance across all aspects of the business.
Good corporate governance results in efficient, effective, low risk business, so it’s something we should all be interested in. Elizabeth Denham, the UK Information Commissioner, recently stated: “25 May is not the end of anything, it is the beginning...” adding, “opportunities to improve your organisation and the services you offer, through the GDPR, are enormous”, so let’s grasp the opportunity. There’s still time.
Contact Business Information Risk Management Consulting
0845 463 1624