GDPR Day is finally here! It feels like it has had nearly as much hype as another date later in the calendar that falls on 25th of the month.
There is perhaps a common theme. In both cases there is the sudden panic that you are not ready for the 25th. Whereas in December the panic is often about having left it to the last minute to buy presents or not having ordered the turkey; in May of this year the panic has been more about the unknown.
I can think of very few instances in my professional life where there has been so much uncertainty about the introduction of a set of new regulations. Even when new ground breaking regulations were introduced in the past (age discrimination is a good example), there was still a degree of certainty amongst experts as to what this meant for employers and employees alike. With the GDPR, this certainty has been lacking.
You only need to listen to radio programmes or read items on news websites to realise how much confusion still remains over the GDPR.
Earlier this week, a rumour went around that the Information Commissioner’s Office (ICO) was granting a 12 month period of grace when they wouldn’t fine any businesses who were in breach.
I have yet to see anything to substantiate this. In fact, I have heard the opposite from some sources, suggesting that the ICO considers we have already had sufficient time to comply.
The panic to meet the deadline of 25th has arisen for a number of reasons. One main reason was the very gradual nature of the guidance put out by the ICO, such that even at the start of January this year, many people thought that consent was necessary to process any data about people. Only earlier this year did phrases such as “privacy notices” and “data mapping” become entrenched in the GDPR process.
Very few advisers were willing to give out any detailed guidance to their clients until it was clear what that guidance should be.
This has resulted in a last-minute rush to comply. Whilst some businesses appear to be largely compliant, others have not even begun the process. We are still hearing from businesses, particularly the smaller SMEs, who have not even worked out what they have to do, let alone implement it.
Even amongst so-called GDPR experts, there is a difference of opinion on how far a business has to go to lawfully communicate with its customers. We have all been bombarded with requests to opt-in to remain on marketing lists and yet some experts consider the vast majority of these requests were actually unnecessary. It seems that many businesses who have sent out these emails have adopted the “better to be safe than sorry” approach.
It is therefore challenging to work out what message to send out to businesses. In theory, they could face fines at any moment. Common sense suggests this is unlikely to happen and suggestions from the ICO in the past few days have given the impression that they may take an understanding approach, at least at first.
Our message is not to panic but equally not to be complacent. Just because the deadline has arrived, it is still not too late to act.
Don’t be intimidated by scare tactics telling you that you need to pay thousands of pounds to GDPR “experts” to ensure you are compliant. At the same time, if you don’t have the resources to cope with what is needed, perhaps consider getting somebody in for a day or two to help complete the “data mapping” and to put in place privacy notices for your staff, your labour only sub-contractors and others about whom you hold personal data. Having a plan and an achievable timescale is key to avoiding panic.