So #GDPRDay has finally arrived. My key message today is simple: Don't Panic! Compliance with the GDPR is a process, which is not supposed to be "complete" by today. Much like a puppy, the GDPR is not just for GDPR Day – it is for life.
The Information Commissioner has for months been managing expectation and concern around the significantly increased levels of fine which are now at her disposal. She has repeatedly said she will take a proportionate approach and is not looking to levy large fines immediately. If there is a breach, she will take into account the organisation's GDPR compliance programme – she does not expect everything to have been accomplished 25 May 2018. That, too, means you should not panic. But it does mean you should have a GDPR roadmap in place.
GDPR requires a risk-based approach to personal information – the measures in your roadmap which you prioritise and implement should be based on addressing those areas of highest privacy risk to you and to individuals.
My advice is to focus on the Information Commissioner's Information Rights Strategic Plan 2017-2021 (published 3 April 2018) and her Regulatory Action Policy (now out for consultation). These clearly set out her regulatory approach. She identifies six strategic goals, which will shape how she will take regulatory action.
The first goal is to "Increase the public's trust and confidence in how data is used and made available", and it specifies several strategic priorities:
Increasing transparency – the ICO emphasises that the public expect the highest standards of transparency for processing of personal data that has a serious impact on their lives
Creating a culture of accountability – which begins "Organisations should provide assurance to the public, and where necessary to us as the regulator, about how they manage data protection and privacy."
The implication is clear: the ICO will focus first on processes that relate to transparency and accountability. The consultation Regulatory Action Plan emphasises that organisations which can demonstrate "strong information rights accountability arrangements can expect us to take these into account when deciding how to respond" to complaints or to a breach. So the ICO will "reward" compliance.
She has also given clear guidance in her Regulatory Action Policy on how she will fine:
"To be effective, proportionate, dissuasive and consistent in our application of sanctions, targeting our most significant powers for organisations and individuals suspected of repeated or wilful misconduct or serious failures to take proper steps to protect personal data; where formal regulatory action serves as an important deterrent to those who risk non-compliance with the law."
The ICO will never fine a business into bankruptcy or a public authority into penury. But she will pitch the level of fine to make an impact, and she will take into account intent and failure to fix previous problems.
So whether you are a local authority in the misdt of reviewing your processor contracts or a company rolling out training on your brand new retention schedule, the key to managing GDPR compliance is having a process in place to identify and address privacy risks, focusing first on transparency and accountability. And turning that into a sensible GDPR Roadmap.
You can draw on professional assistance: in identifying the risks to you and to individuals; in drawing up a plan and in taking the requisite steps. But choose your advisors wisely and look for a history of data protection expertise with roots before 2018.
Estelle has been practising in data protection for almost 10 years and is an expert on the GDPR and the DPA 2018. She is a member of the European Commission's Multistakeholder Expert Group on the GDPR.