Ahead of the roll-out out of the General Data Protection Regulation (GDPR) in May 2018, an abundance of web sites, blogs, white papers, and articles have been published, all offering guidance on the new regulation and the details that data controllers / processers need to be aware of.
With a wealth of information available, there is little excuse for organisations not readying themselves for GDPR, getting to grips with the implications, and putting in place the necessary actions to ensure compliance.
Beware of misleading information and bad practice
Unfortunately, whilst there is a lot of excellent information available regarding GDPR, there appears to also be misleading information, from organisations that have either interpreted the ICO documentation incorrectly, or are deliberately avoiding key principles prior to GDPR coming into force.
For example, I recently read an article on GDPR, in which a company spokesperson commented that, “the main implications of data protection will occur only once Brexit is in motion.”
The ICO guidance clearly states that, “GDPR will apply in the UK from 25th May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.”
In another example, I was reviewing a marketing automation provider’s web site recently and noticed that they had compiled a white paper on GDPR, which was available to download for free if I submitted my email address to join their mailing list.
So, to get the GDPR white paper I had to sign up to a mailing list, despite GDPR implicitly stating that consent must be separate from other terms and conditions?
In short, whilst there is an abundance of excellent advice on GDPR, please proceed with caution, as there are instances of inaccurate, rushed and misguided information.
The more you read, the more confusing it can become, so please stick to reputable sources and if something sounds ‘shady’ then it probably is.
Maintain a contemporary understanding
It is also worthwhile noting that the Information Commissioners Office (ICO) is continually expanding its GDPR guidance in key-areas, with updates being issued monthly (https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/whats-new/).
To quote the ICO GDPR overview: “This is a live document.” Therefore, any guidance is potentially subject to change.
Of course, there are large areas of GDPR guidance that you can focus upon in readiness, but at this stage you will need to continue to regularly review documentation and maintain a contemporary understanding.
In conclusion, every organisation should take steps to ensure that its practices are GDPR compliant. Here are a few tips that you may wish to consider:
- Review the ICO guidance thoroughly and re-visit their web site on a regular basis to ensure that you are up to speed with the latest developments.
- Consider appointing a GDPR champion or working group to lead your organisation’s efforts ahead of the May 2018 deadline.
- Beware of misleading or inaccurate guidance or practices.
GDPR is an opportunity to re-visit data protection practices anew – grasp it with both hands.