GDPR Dumb Ways to Fail: 7. Treat May 2018 as a deadline
For the early years of this millennium, doomsday crackpots predicted that the world would end in 2012, as prophesied by the Mayan calendar.
For the past two years, that role has been taken on by vendors and consultants who have foreseen the apocalypse on 25th May 2018 when the GDPR is enforced. Supervisory Authority Enforcement Agents will kick down the door of each and every company, charity or public authority that is in possession of so much as a phone book, and their Data Protection Officers will be dragged off to Wilmslow to face punitive fines or fall down the ICO’s stairs.
We’re The ICO, son, and we haven’t had any dinner. You’ve kept us waiting, so unless you want a kicking you tell us where the personal data is.*
Really? That’s dumb.
We’ve already talked about the reality of fines, so if the percentage-which-must-not-be-spoken isn’t going to universally applied, then what will actually happen?
In August, Information Commissioner Elizabeth Denham wrote:
“The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
The ICO will doubtless work to enforce the new law and uphold information rights, but we won’t see a sudden rush of punitive enforcement actions.
The GDPR is an evolution of current data protection laws, so think about what changes on 25th May 2018. There is no visit from GDPR auditors that day to award or revoke a certificate. There is no industry-regulated cut-off that will result in your systems being shut down. GDPR readiness is not a one-off project, but a move to a new way of working with personal data.
What changes is an evolution in your organisation’s processing risk profile. You are exposed to some fresh risks, and the potential impacts of those risks increase significantly. If you’ve built your delivery around a risk-based approach, and ensured that the change in risks is reflected in the executive risk reporting, then you’ve acknowledged that there is no such thing as ‘GDPR compliance,’ just GDPR readiness, and your risk model can accommodate the change. Yes, those risks might come to pass. But in the meantime business goes on, and your organisation can continue to make rational and correctly-prioritised operational choices, based on an understanding of operational risk and an appropriate prioritisation against other commercial needs.”
25th May 2018 remains a big deal, but for your project it should be just a risk milestone, rather than the end of the world. The apocalypse will have to wait for the next doomsday prophecy**.
*I’ve always wanted to use that line.
**Which might actually be the ePrivacy Regulation.
Please suggest your own GDPR Dumb Ways to Fail in the comments below, and we’ll add them to the list to be tackled in the coming days.