(Note: this article is not intended as legal advice. If you are uncertain about your own data protection requirements, please contact the ICO or a legal expert.)
The GDPR deadline is only a week away, and the ICO is currently sharpening millions of big, pointy sticks, ready to punish businesses across the UK for the slightest data-related infractions. Big fines are coming, and the only solution is to panic madly and delete everything before the Information Commissioner, Elizabeth Denham, and her gang come knocking at your door.
At least, that’s how it might seem without some much-need perspective.
Despite Denham herself saying, in an ICO blog post, that General Data Protection Regulation was not about fines and that her department would be working with organisations to make the new rules work, confusion and worry are still rife. Just this week, ITPro reported that Labour MP Chris Bryant said some of his staff came away from a GDPR training session with the impression that they would have to “delete all casework information from before June 2018."
As the article went on to say, this idea was later refuted by speaker of the House, John Bercow, who stated, “"Despite vigorous inquiry yesterday by the House Authorities and the contractor commissioned by the House Authorities to support Members and their staff, no trace has been found by those responsible of such advice having been given."
And yet, it seems, that’s exactly how the advice was interpreted and, to be frank, by people who should perhaps know better.
On the very same day as the ITPro article was published, the Register also ran a GDPR-related story. In ‘Whois privacy shambles becomes last-minute mad data scramble’, American correspondent Keiren McCarthy explained how ICANN, a major non-profit organisation central to the running of the internet and the .com registry, was having to rush through emergency measures to comply with GDPR.
ICANN is responsible for WHOIS, which records and publishes information about website registrants, including names and addresses. The very idea of WHOIS is a GDPR nightmare, with personal data being made publicly available without permission. But ICANN is an American organisation, and although GDPR applies to any company that holds the personal data of European citizens, no matter where that company is based, friction between European and foreign laws was both inevitable and predictable. As McCarthy said in his report, “powerful US corporate interests want the current rules retained and feel that European laws should not override the current system put in place by US corporations and overseen by a US organization.”
That resistance led to ICANN leaving everything until the last minute, and with the firms that run WHOIS, under contract to ICANN, potentially facing the ICO’s army of pointy stick wielders (by which we mean stiff financial penalties).
An epidemic of panic has also been spreading among the Android development community, many of whom make their money via Google’s Admob advertising system, which - quelle surprise – probably isn’t GDPR compliant. Until it gets sorted, they may have to change their funding models, just to stay in business.
How much of this hand-wringing is actually justified? Will the ICO really start slamming everyone with fines the minute the deadline passes? After all, just the day after the ITPro article, the ICO itself announced that it had fined the Crown Prosecution Service £325,000, under the existing Data Protection Act. If the ICO is prepared to that to another government body, how will private organisations fare?
While this might seem like good cause for running into the hills, screaming and pulling out your hair, it’s important to release what the CPS did to attract such a large fine. It didn’t just forget to ask permission before sending out a newsletter or neglect to remove a pre-ticked opt-in box from a sign-up form; it lost unencrypted DVDs containing recordings of police interviews with child sex abuse victims – and it was the second fine that had been imposed on the organisation for losing sensitive video material. Considering the nature of this error, you could easily argue that the fine wasn’t big enough.
Most businesses, of course, never have to deal with such sensitive data and, hopefully, they won’t ever be guilty of such astounding incompetence either.
The likes of ICANN and Google, meanwhile, might find themselves in trouble if they don’t get their acts together, because they hold such vast amounts of personal data, and because they have more than enough resources to implement robust, comprehensive data protection policies and procedures. In other words, they really have no excuse, particularly seeing as they’ve had the best part of two years to get ready for GDPR.
What of smaller businesses, though? Will they be held to the same standards as huge, multinational corporations and government departments? Maybe, maybe not, but it will likely depend on what kind of efforts they’ve made to comply with the new rules - and if they break them, what the scale and nature of the infringement is. If, for example, you’re making millions of unsolicited phone calls to strangers, hounding them to buy your products or services, then the ICO is probably going to come down hard on you, as it should. But if you suffer a data breach, despite having up-to-date cyber security measures in place or you accidentally send a marketing email to someone who opted out, then any punishment you get will presumably be proportionate to the offence.
Pretending GDPR isn't happening is a bad idea, and you shouldn't be skipping along happily thinking it won't affect you. It will. But it's important not to let it overwhelm you and your business or to rush things through that might cause problems further down the line. Yes, there’s only a week left until the GDPR deadline, but panicking is not the solution. If you haven’t finished getting GDPR compliant, you should be working toward it, and you may need to put some ICANN-style interim solution in place until you’re totally ready. But unless you’re being negligent or purposely flouting the rules, remember: the ICO will be saving its biggest, pointiest sticks for someone else.
Cyber security is a major component of data protection and GDPR requirements. Contact TMB to find out about our enterprise-class firewalls, cyber security training, backup solutions and Cyber Essentials assessments. Call us on 0333 900 9050 or email info@tmb.co.uk.