GDPR: by now, you will know that it is General Data Protection Regulation and when it will be enforceable May 25), but do you actually know exactly what you have to do? You are not alone - there are thousands of companies and millions of people who still don’t know exactly what they need to do either, and there’s good reason for that.
GDPR is complicated and in some ways, really confusing. It is legislation made up of 99 articles and 173 recitals and much of the wording is currently subjective and vague. This means a lot of commentators are getting key facts wrong because so much of the wording is contradictory and open to interpretation. Or they are fixating on one part of legislation. Or they simply haven’t read it.
I have already invested months of my time in learning and understanding GDPR and the separate articles it contains. I’ve attended two training courses and after taking exams, I’m now a GDPR Certified Practitioner. I’ve given a series of GDPR master classes across the UK and I’m going to be speaking about the subject at International Confex. Yet, I am still stumped by certain conditions, caveats and phrases. And so it seems is the ICO.
The ICO (the Information Commissioner’s Office) is the UK governing body for GDPR - the data police if you like. They operate a helpline for companies to call with their GDPR questions. I’m a pretty regular caller; I think they may start to recognise my voice soon. Early in November I asked the ICO a question in writing. It took them 75 days to reply, and their answer was: …. ‘We don't know’!
My question was about Article 30. It provides exemption from some of the detailed record-keeping requirements for small businesses, so long as they have less than 250 employees. But the exemption will not apply if the processing ‘is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data’.
‘Special categories of data’ is easily defined and that's fine.
‘Likely to result in a risk to the rights and freedoms of data subjects’ is a little fuzzier but still not awful.
‘Processing is not occasional’ is the kicker; just what is occasional? Once a day? Once a week? Once a month? Is it how often you look at the whole data set or how often you look at individual records?
The ICO told me: ‘We are unable to provide further clarification on this at this time’. This means that with less than four months until GDPR is enforceable, no small business can tell if they are exempt from the record-keeping requirements.
Don’t get me wrong – I believe that GDPR is generally a good thing but this is a journey where we are currently in the dark and feeling our way to some extent. The ICO releasing more detailed guidance later this year will help, but, even then, it’s likely to leave a lot of other questions unanswered until we start seeing the results of investigations with the decisions of the ICO.
That said (and despite me saying that the ICO is like the data police) don’t believe the hype being bandied around about huge fines. The ICO isn’t generally interested in fining organisations as punishment; in her blog, Elizabeth Denham, the Information Commissioner, highlighted their track record and pointed out that in 2015/16 the ICO investigated 17,300 cases and just 16 of them resulted in fines, because the ICO would rather encourage responsible stewardship of data than punish organisations with fines.
GDPR is about doing the right thing, of taking responsibility for the data your company holds and the way that you use it, store it and how long you keep it. We have published a white paper on the subject ‘Get Ready for GDPR: Your events management strategy’. The paper is free to download and gives you a framework of questions to follow so you can create your own GDPR strategy. To download it go to https://www.eventreference.com/gdpr