If you need HELP, SUPPORT or just have a GDPR question please call +44 (0) 208 133 2545 or email us at firstname.lastname@example.org.
Alternatively please visit our contact page
FREE GDPR Helpline
Call +44 (0) 208 133 2545
I’ve been pleased to hear from many of you that the eight GDPR myth busting blogs we’ve run this year have been helpful in your preparations for the new legislation.
I’m still picking up a lot of concern from organisations about preparing for the GDPR by May.
Much of that is understandable – there’s work required to get ready for the new legislation, and change often creates uncertainty.
However some of the fear is rooted in scaremongering because of misconceptions or in a bid to sell ‘off the shelf’ GDPR solutions.
I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug. In 1999 there was fear that New Year’s Eve would see computers crash, planes to fall out of the sky and nuclear war accidentally start.
In the run up to 25 May 2018 there have been anxieties too, albeit on a less apocalyptic level. Things like we’ll be making early examples of organisations for minor breaches or reaching for large fines straight-away and that the new legislation is an unnecessary burden on organisations.
I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear. Here’s why:
Unlike planning for the Y2K deadline, GDPR preparation doesn’t end on 25 May 2018 – it requires ongoing effort.
It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.
That said, there will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date.
But we pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR, as I set out in my first myth busting blog. Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.
That means being able to show you have been thinking about the essential elements outlined below and who is responsible for what within the business..
There were a lot of predictions in the run up to the millennium about what would happen to computer systems when the clock struck midnight. Would banks collapse, power grids fail and chaos ensue?
But with the GDPR – we all know what’s coming. It’s a known known. Much of the GDPR builds on the existing Data Protection Act 1998. There’s also guidance and a lot of help out there, including our Guide to the GDPR, as well as other help from us, from Article 29, from industry associations and data protection experts. We know there are particular challenges for small organisations. That is why we are targeting specific advice, FAQs, a helpline and toolkits. And there’ll be more help to come throughout 2018 and beyond.
So, in summary, the GDPR is not the Millennium Bug – there’s no wondering if the new legislation will happen, it will. But with that certainty comes an opportunity for good data protection practice to pervade your organisation. This will benefit not just your customers but your organisation as well as it reaps the reputational rewards, allowing it to thrive in the new privacy landscape.
Yes budgets can be tight, technology is moving fast and there’s a race to keep up with competitors. But if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world.
By Information Commissioner Elizabeth Denham.
This post was originally published by ICO.org