Time left to GDPR
What happens on 25 May 2018 if you are not GDPR compliant?
Indeed what does compliant actually mean?
First of all, there is no bullet proof way to know if you are fully compliant or not. All you can hope for is that you have done enough to meet requirements of all the mandatory Articles of the regulation that apply to your organisation. Unfortunately, there is no Kite Mark or certification scheme yet to say you are fully compliant to GDPR, like say ISO27001. Not yet any way. I understand the European Data Protection Board (EDPB) is considering a certification scheme for GDPR but that is some way off.
What the ICO (UK) or other Supervisory Authority will expect you to have done is met most of the requirements to mitigate or lessen the impact of any mishaps on the data subject. Therefore, it is essential that you are able to demonstrate this. Not just by saying “trust me gov, we are compliant” but hard documented evidence. This one thing is for certain the compliance is evidence driven.
What I suspect they would not be happy with is organisations taking the proverbial pee with people’s personal data. And they will make early examples of such organisations to show they mean business and to generate revenue for the ICO.
I suspect and I’m sure given the lacklustre response and confusion surrounding GDPR, not all organisation will be fully compliant. This is quite evident from conversations I’m having and hearing from people.
What about Brexit?
I was asked this question only this morning, and yesterday that if you are outside the EU do you still have to comply?
What about it? We will still be processing EU citizens data, doing business with the EU (hopefully). The GDPR is global.
People are still not sure whether compliance is needed for UK in light of Brexit? Question that has already been answered by the ICO a while ago that regardless of Brexit, UK will comply with the GDPR. This means the ICO is serious about data privacy and will expect UK organisations to comply accordingly. There is no ifs or buts about it anymore.
Leaving it too late?
This should be a cue for organisations that they cannot be relaxed, hoping that Brexit will derail the GDPR train coming towards them at speed. Yet there is hardly any noticeable flurry of activities in recruitment or focused projects. Most organisations seem to be at a investigatory phase. Some are looking to April for budgets, interested parties are scheduling C-Level seminars on GDPR for April 2017. That means the decision makers are not taking this fact that by April 2017, they would only have 13 months to be compliant. That would be a huge challenge for most organisations. I doubt many would be fully compliant against the existing DPA let alone the GDPR. And the DPA has been around for nearly 20 years!
Should you take a risk based approach to GDPR?
Sure you can but should you?
So what would happen if organisations are not compliant on the 28th of May 2018?
Nothing I suspect. Unless of course you have a personal data breach or if a disgruntled employee or customer blows the whistle on you and you are investigated by the ICO. Then I suspect there will be all sorts of impact. For sure, for non-compliance with any of the Articles, will automatically mean remedy under the law. This could mean automatic fines for severe non-compliance and for minor non-compliance warnings or both. However for larger breaches due to gross negligence or non-compliance, expect hefty fines, which could be the maximum possible fines of 4% of global turnover or 20m Euros, whichever is greater. The loss to a commercial organisation as was seen with TalkTalk does not end with just the fines. Indeed TalkTalk was fined under the current DPA £400000, a record setting near maximum possible on its own. Under GDPR a 4% fine would have equated to 80m Euros based on their published turnover for the last financial year. Add to that the accounted loss associated with the data breach of 60m Euros. That is a staggering 140m Euros so far. The impact will no doubt last for few more years to come. It is telling that their published annual report starts with the impact of the data breach.
Can your organisations survive? Do you want to take the risk?