Site navigation

GDPR: Dumb Ways to Fail (Part 7)

Toby Stevens

,

GDPR Deadline: May 25th 2017

Detective Inspector Jack Regan glared at the name on the door in front of him, ‘T.Stevens’ it said. No rank. Curling his lip, he raised his hand to knock. The door flew open. A man in a suit stood inside, giving Regan a hard, appraising stare. “About time, Regan,” he snapped. “Come in, we need to talk about this new General Data Protection Regulation…”

GDPR Dumb Ways to Fail: 7. Treat May 2018 as a deadline

For the early years of this millennium, doomsday crackpots predicted that the world would end in 2012, as prophesied by the Mayan calendar.

For the past two years, that role has been taken on by vendors and consultants who have foreseen the apocalypse on 25th May 2018 when the GDPR is enforced. Supervisory Authority Enforcement Agents will kick down the door of each and every company, charity or public authority that is in possession of so much as a phone book, and their Data Protection Officers will be dragged off to Wilmslow to face punitive fines or fall down the ICO’s stairs.

We’re The ICO, son, and we haven’t had any dinner. You’ve kept us waiting, so unless you want a kicking you tell us where the personal data is.*

Really? That’s dumb.

We’ve already talked about the reality of fines, so if the percentage-which-must-not-be-spoken isn’t going to universally applied, then what will actually happen?

In August, Information Commissioner Elizabeth Denham wrote:

“The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
The ICO will doubtless work to enforce the new law and uphold information rights, but we won’t see a sudden rush of punitive enforcement actions.

The GDPR is an evolution of current data protection laws, so think about what changes on 25th May 2018. There is no visit from GDPR auditors that day to award or revoke a certificate. There is no industry-regulated cut-off that will result in your systems being shut down. GDPR readiness is not a one-off project, but a move to a new way of working with personal data.

What changes is an evolution in your organisation’s processing risk profile. You are exposed to some fresh risks, and the potential impacts of those risks increase significantly. If you’ve built your delivery around a risk-based approach, and ensured that the change in risks is reflected in the executive risk reporting, then you’ve acknowledged that there is no such thing as ‘GDPR compliance,’ just GDPR readiness, and your risk model can accommodate the change. Yes, those risks might come to pass. But in the meantime business goes on, and your organisation can continue to make rational and correctly-prioritised operational choices, based on an understanding of operational risk and an appropriate prioritisation against other commercial needs.”

25th May 2018 remains a big deal, but for your project it should be just a risk milestone, rather than the end of the world. The apocalypse will have to wait for the next doomsday prophecy**.

*I’ve always wanted to use that line.

**Which might actually be the ePrivacy Regulation.

Please suggest your own GDPR Dumb Ways to Fail in the comments below, and we’ll add them to the list to be tackled in the coming days.

GDPR: Dumb Ways to Fail (Part 1)

GDPR: Dumb Ways to Fail (Part 2)

GDPR: Dumb Ways to Fail (Part 3)

GDPR: Dumb Ways to Fail (Part 4)

GDPR: Dumb Ways to Fail (Part 5)

GDPR: Dumb Ways to Fail (Part 6)

Toby Stevens, Direct Enterprise Privacy Group

Toby Stevens

Director, Enterprise Privacy Group

Latest News

%d bloggers like this: