Don't panic over GDPR: marketing hyperbole adds confusion to new data laws
Experts advise a calmer approach to new data laws than the fear, uncertainty and doubt currently circling the UK IT industry
Here's something you don't hear very often about the looming GDPR changes: don't panic.
The General Data Protection Regulation (GDPR) comes into play May 2018, which is plenty of opportunity for businesses to update their practises and plenty of time for consultants to market their services.
While plenty of IT consultancies are offering helpful GDPR services, for some it's clear there's no better way to do that than fear, uncertainty and doubt. Consider headlines such as these: "Will Artificial Intelligence be illegal in Europe next year?", "GDPR could cost FTSE 100 companies $5 billion in fines", and, from the Sun, this mouthful: "Builders, cleaners and gardeners could face huge fines just for sending an email to drum up business thanks to draconian EU laws on data protection".
Of course, GDPR is a big deal. "The GDPR is the biggest shake up of data protection laws in over 20 years," said Martin Sloan, partner at law firm Brodies. But it won't be much of a challenge for those already carefully considering and protecting their data. "For many organisations, compliance will be a case of evolution, not revolution," Sloan said. "For other organisations, it will require them to take data protection seriously for the first time."
And those companies are the target of concerted marketing campaigns by service providers looking to make a quick buck out of GDPR fears. "The challenge is working out what your organisation needs to do to be compliant and many service providers are capitalising on that uncertainty as a means to sell their products and services," said Sloan. "This, coupled with hyperbole around the fines for breaching GDPR, means there's a serious risk that the key principles of transparency and accountability are lost in the noise."
Tim Turner, founder of 2040 Training, agrees. "I think there are people who have entered the market to sell specific GDPR services who are using the theoretical possibility of fines as a way in effectively [to convince people they] should use their services," said Turner. "Not because they're building a framework over time or addressing specific issues. It's simply that you've got to do something now because otherwise you'll get fined 20 million, which isn't real."
Even the Information Commissioner, Elizabeth Denham, agrees there's too much confusion she's kicked off a series of blog posts to bust GDPR myths because there's so many kicking around. "And I'm worried that the misinformation is in danger of being considered truth," she notes in the post. "If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about greater transparency, enhanced rights for citizens and increased accountability."
Of course while there's a possibility of fines and they are increasing in value that doesn't mean it's time to panic. "While the maximum fines increase substantially under GDPR, for many organisations those figures are irrelevant," noted Sloan. "Any fine must be proportionate. What's far more significant is that there will no longer be a requirement for individuals to suffer damage or distress before a fine can be issued. The ICO will have the power to issue fines for near misses and administrative breaches. That makes a big change to an organisation's risk profile."
Plus, while the Information Commissioner has the power to fine, that data watchdog has traditionally been reluctant to do so. "To be fair to them, they tend to be a lot more measured about it in the first place," said Turner. "They're not talking about automatic penalties immediately... they have these powers, and they may use them, but if you look at the commissioner's track record, it's quite cautious and it's not likely to change."
Sloan added: "The ICO isn't going to start knocking on everyone's door on 26 May it doesn't have the resources to do that but it has made it clear that it does not intend to delay investigating reports of alleged non-compliance."
Indeed, commissioner Denham has said fines will be a last resort. "Issuing fines has always been and will continue to be, a last resort," she says in her blog post. "Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned."