With the GDPR now well and truly looming over us, the ICO (Information Commisioner’s Office) data protection conference on 9 April 2018 provided some key messages and re-assurances.
25th of May 2018 is the beginning, not the end
Data protection compliance is, and always has been, an ongoing process.
It is not simply a matter of getting contracts and notices updated by May 25th. Instead, the GDPR encourages a wider cultural shift away from data quantity, to data quality, with systems being designed to protect and uphold individuals’ privacy rights from the outset. The messaging from the ICO on this point recognised that all of this takes time.
The GDPR is an ‘aspirational’ piece of legislation. It may not be possible to have reached the gold standard by May 25th and the enforcement action taken by the ICO will reflect this.
Consent is only one way to process data
There are six ways you can justify your processing of personal data – consent is only one of them.
In my day-to-day practice, I have seen consent being overused, with clients worrying that consent is required for all uses of employee and customer data in a post-GDPR world. This is simply not the case.
Consent can be a very powerful way of giving your customers the greatest choice possible, but it will not be appropriate in every instance. Crucially, the GDPR does not require consent to be obtained for every use of data.
Transparency is key
People need to understand how their data is being used, and this information must be communicated in an easily accessible way.
Evidence and accountability
Being able to explain and evidence why you have decided to use data in a particular way is critical.
Completing the template processing registers the ICO released recently will be a good starting point, and the questions in those registers should also spark a wider review of your data handling practices. These registers are available for download here.
When you are relying on your legitimate interests to justify handling data, a privacy impact assessment can be an invaluable tool. A privacy impact assessment is essentially a series of questions your data handling activity is assessed against, making sure your proposed use of data is reasonable in each circumstance. It will also prove to the ICO that you have genuinely considered how your data practices can be tweaked and improved to better respect individuals’ privacy rights.
The GDPR is not an excuse to multiply fines
The Deputy Commissioner made clear that if a £20,000 fine is fair and proportionate under the current law, a £20,000 fine would also be fair and proportionate under the GDPR.
It seems the GDPR will not be used as an excuse to simply multiply fines. The ICO’s focus and initial objectives will remain on education and prevention, rather than deterrence and enforcement.
Is it creepy?
Clients often ask me whether a planned data project is compliant, or if there’s anything else they need to do to avoid a regulatory risk.
Part of the conference included talks from data protection officers, who suggested there are two light-hearted questions to ask when grappling with the “is this compliant” question:
- Is it creepy?
- Are you being a git?
If the answer to either of these questions is yes, it’s probably not compliant without a few changes!
If you are preparing for the GDPR and need some extra support, we have a 10-point GDPR to-do list on our website here. We have also created various GDPR support packages, which you can find out about here. No matter what stage your compliance efforts have reached, we can help you identify the key issues, and ensure you tackle them correctly.