May 25, 2018
Unless you have been living in a cave for the last few years, you will know that today marks the day when the European Union’s General Data Protection Regulation (GDPR) comes into force.
As Head of Legal for LEWIS, I have been leading our compliance programme so have been keeping a keen eye on the developments, and the fear, uncertainty and doubt around GDPR.
If you are a European citizen, or a even working outside Europe but have dealings with the region, the chances are that GDPR has become intertwined with your life as well. Not least in the amount of emails you have received from organisations pleading for you to “stay in touch”. There has been significant press coverage about data privacy in 2018. Privacy has become a conversation at home and in the bar due to the Cambridge Analytica and Facebook issue.
The Cambridge Analytica story brought to the top of public consciousness the realisation that their personal data is a valuable asset. Business models rely on the collection of data about individuals (think airline frequent flyer schemes, or companies that offer credit scores), and customer data (even anonymised) can be sold and traded without their direct knowledge.
GDPR is one of the few instances where legislative change has become a mainstream media topic. What is more remarkable as a lawyer is to see so many opinions written on new laws written by those who are not legally trained. There are countless stories from firms about how to best promote products and services that assist data privacy compliance. Whilst it is true that GDPR is wide reaching and elevates data protection to a board level issue, many of these articles are clouded by business motives and do not reflect the true nature of the laws being implemented. The result is fear, uncertainty and doubt.
Given this situation, here are three tips towards complying with GDPR:
While many vendors and services firms have been keen to sell solutions that assist companies to achieve data protection compliance, GDPR is agnostic to technological solutions. While it is sensible to encrypt data for good compliance, it is not specific to GDPR. What the law requires is a solution that is commensurate with the company’s data privacy risk. A solution for a hospital will be different to that of your local florist.
Mistakes happen. However, the key to legal compliance and the key to prevent large regulatory fines is to show good corporate governance, and that the company has been working hard to comply. This means documenting policies and procedures, as well as showing these procedures are passed down and used. It is far more difficult for a regulator to question a firm’s commitment to its regulatory responsibilities, if the company’s management can show that it is truly embracing and leading compliance efforts.
If you’re reading this today and only just now realising that the GDPR may be relevant to your business, you are not too late. You should move quickly, but there is no need to panic. For those who believe the hard work is complete on 25 May and the project can be shelved away, that is not true either. There must be a periodic review and assessment around data privacy and security in all companies.
GDPR starts today but is no way finished. Indeed, it is just the beginning. Stay on top, peer review and don’t panic.