Don't panic over GDPR: marketing hyperbole adds confusion to new data laws

Experts advise a calmer approach to new data laws than the fear, uncertainty and doubt currently circling the UK IT industry

Here's something you don't hear very often about the looming GDPR changes: don't panic.

The General Data Protection Regulation (GDPR) comes into play May 2018, which is plenty of opportunity for businesses to update their practises and plenty of time for consultants to market their services.

While plenty of IT consultancies are offering helpful GDPR services, for some it's clear there's no better way to do that than fear, uncertainty and doubt. Consider headlines such as these: "Will Artificial Intelligence be illegal in Europe next year?", "GDPR could cost FTSE 100 companies $5 billion in fines", and, from the Sun, this mouthful: "Builders, cleaners and gardeners could face huge fines just for sending an email to drum up business thanks to draconian EU laws on data protection".

Of course, GDPR is a big deal. "The GDPR is the biggest shake up of data protection laws in over 20 years," said Martin Sloan, partner at law firm Brodies. But it won't be much of a challenge for those already carefully considering and protecting their data. "For many organisations, compliance will be a case of evolution, not revolution," Sloan said. "For other organisations, it will require them to take data protection seriously for the first time."

Advertisement
Advertisement - Article continues below

And those companies are the target of concerted marketing campaigns by service providers looking to make a quick buck out of GDPR fears. "The challenge is working out what your organisation needs to do to be compliant and many service providers are capitalising on that uncertainty as a means to sell their products and services," said Sloan. "This, coupled with hyperbole around the fines for breaching GDPR, means there's a serious risk that the key principles of transparency and accountability are lost in the noise."

Tim Turner, founder of 2040 Training, agrees. "I think there are people who have entered the market to sell specific GDPR services who are using the theoretical possibility of fines as a way in effectively [to convince people they] should use their services," said Turner. "Not because they're building a framework over time or addressing specific issues. It's simply that you've got to do something now because otherwise you'll get fined 20 million, which isn't real."

Even the Information Commissioner, Elizabeth Denham, agrees there's too much confusion she's kicked off a series of blog posts to bust GDPR myths because there's so many kicking around. "And I'm worried that the misinformation is in danger of being considered truth," she notes in the post. "If this kind of misinformation goes unchecked, we risk losing sight of what this new law is about greater transparency, enhanced rights for citizens and increased accountability."

Fine times

Of course while there's a possibility of fines and they are increasing in value that doesn't mean it's time to panic. "While the maximum fines increase substantially under GDPR, for many organisations those figures are irrelevant," noted Sloan. "Any fine must be proportionate. What's far more significant is that there will no longer be a requirement for individuals to suffer damage or distress before a fine can be issued. The ICO will have the power to issue fines for near misses and administrative breaches. That makes a big change to an organisation's risk profile."

Plus, while the Information Commissioner has the power to fine, that data watchdog has traditionally been reluctant to do so. "To be fair to them, they tend to be a lot more measured about it in the first place," said Turner. "They're not talking about automatic penalties immediately... they have these powers, and they may use them, but if you look at the commissioner's track record, it's quite cautious and it's not likely to change."

Sloan added: "The ICO isn't going to start knocking on everyone's door on 26 May it doesn't have the resources to do that but it has made it clear that it does not intend to delay investigating reports of alleged non-compliance."

Indeed, commissioner Denham has said fines will be a last resort. "Issuing fines has always been and will continue to be, a last resort," she says in her blog post. "Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned."

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019