You’re not yet compliant with GDPR? Don’t panic – few people are.

by Kate Tickner on 22nd May 2018

The GDPR enforcement date is almost upon us. Consequently, our email inboxes are packed with GDPR-related emails from all the companies we’ve ever dealt with, and the volume is rising day by day in the run up to 25 May. Many organisations are in panic mode, trying to get everything done in the final run up to ‘GDPR day’. But how realistic is it to expect all organisations to be 100% compliant by 25 May? And do we even know for sure what ‘compliant’ looks like?

One thing that’s really struck me when looking through the GDPR emails that companies are sending me is the great diversity of practice. There’s clearly no agreement on the best way to handle GDPR. Some organisations are going for a relatively light touch, just letting customers know they have updated their privacy policy. Others are repermissioning their whole lists. Still others are moving out of the email marketing game altogether – Wetherspoon’s, for example, has decided to delete its whole customer email list. So what’s the right approach? The truth is that at this point we just don’t know.

GDPR is ambiguous by design

Ambiguity is built in GDPR by design. In the UK GDPR is the first significant update to data protection legislation since the Data Protection Act of 1998. Back when the DPA was written there was no social media, no Google, no smart phones, no cloud computing, and email and SMS marketing were in their infancy. The DPA is really designed for a pre-digital marketing environment, so in 2003 the PECR (Privacy and Electronic Communications Regulations) were created.

PECR implement the European Directive 2002 (also known as the e-privacy directive). PECR set out more specific privacy rights on electronic communications and have been updated four times – most recently in 2015. The PECR will also be updated in conjunction with the GDPR but is not ready yet so for now, the existing e-privacy rules apply as well as the GDPR.

GDPR’s lack of specificity is designed to help regulators avoid being caught out by technologies or data uses that haven’t been imagined yet, and to give consumers protection against abuses of these technologies as they develop. Some of the language around security requirements, for example, is deliberately vague. Article 32 requires organisations to put in place security measures that “[take] into account the state of the art” at the point at which they’re being implemented, whatever the state of the art may be at that point. This is because the speed of change in the data security field is such that it’s almost impossible to be prescriptive about exactly what’s required.

Can you show that you’re acting in good faith?

The key thing is that, should there ever be an issue, you need to be able to demonstrate that you were acting in good faith, trying to comply with the regulations as you understand them. Where there’s ambiguity (and there’s plenty) each organisation will need to decide for itself how best to approach particular aspects of GDPR.

That said, there are some guiding principles to keep in mind. If you’re not sure how to handle a particular situation, then look at it from the consumer’s point of view. Would the consumer expect to get a particular communication from you? Would they consider it reasonable? Have you balanced out your own legitimate interests with those of the consumer? Can you show that you considered these things in making a decision?

Privacy Impact Assessments are a useful tool here. Keep records of the discussions you’ve had internally, build up an audit trail that shows you’ve considered things carefully and can justify the decisions that you’ve made. Have a plan in place with timelines, dates and deadlines, showing how you’re moving towards GDPR compliance.

25 May 2018 isn’t going to be the end of the GDPR journey for anyone

For many organisations, 25 May is just the start of the GDPR journey. Organisations that have adopted a ‘head in the sand’ approach, thinking that they might be able to get away with non compliance, or that breaches and fines won’t affect them, are probably in for a rude awakening. Some might also be betting on regulators taking a softer approach for the first few years. That’s almost certainly a mistake. GDPR is designed to tackle the kinds of organisations that engage in systematic data abuses and regulators are likely to take a dim view of cases where no attempt has been made to comply.

What if you’re trying to comply but you’re subject to a breach or a complaint? It’s almost certainly not the regulators’ aim to punish the honest mistakes of organisations that are trying to do their best. If you’re already compliant with the 1998 Data Protection Act, then you’re in a good position for GDPR compliance too. The aim of GDPR is to take the good practice of the DPA and help organisations build upon it.

Although we can’t rule out the possibility of large fines and punishments right from the get go, it’s probably also the case that regulators are looking to help organisations comply wherever possible. The harshest punishments are likely to be reserved for organisations that commit knowing breaches of the regulation rather than those who are demonstrably trying to do the right thing but may have inadvertently made a mistake somewhere along the line. Whilst 100% compliance on day one may not be expected, willingness to comply certainly is. Essentially it’s about showing that you’re taking the rights of data subjects seriously.

If you would like help in reviewing your current GDPR readiness status or implementing any aspect of the data management practices required to become compliant (e.g. DPIAs or data maturity assessments) then Entity Group can help you – get in touch to find out more.