Information Commissioner Elizabeth Denham has lambasted companies using scare tactics to flog “off the shelf” GDPR solutions, insisting that although there will be no grace period under the new regulation, companies which can prove they are moving towards compliance will not face tough sanctions.
In yet another “myth-busting” blog post, Denham said: “I‘ve heard comparisons between GDPR and the preparations for the Y2K Millennium Bug. In 1999 there was fear that New Year’s Eve would see computers crash, planes to fall out of the sky and nuclear war accidentally start.
“In the run up to May 25 2018 there have been anxieties too, albeit on a less apocalyptic level. Things like we’ll be making early examples of organisations for minor breaches or reaching for large fines straight-away and that the new legislation is an unnecessary burden on organisations.”
However, she attempts to allay these fears by insisting that GDPR compliance will be an ongoing journey and unlike planning for the Y2K deadline, GDPR preparation does not end on May 25 2018 – it requires ongoing effort.
Denham added: “We pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR. Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.
“That means being able to show you have been thinking about the essential elements and who is responsible for what within the business.”
She also outlined the key building blocks including: understanding the information already held; implementing accountability measures; ensuring appropriate security; and providing appropriate staff training.
Whether this will be enough to silence the ICO’s critics is another matter. In the week before Christmas, the regulator published yet more draft guidance, this time on how firms should deal with children’s data. The consultation on this does not close until February 28.
Meanwhile, companies are still awaiting definitive guidance on consent (not expected until April) and how to use legitimate interests (not expected until the “new year”).
Responding to criticism that the regulator has been too slow in providing final guidance, an ICO spokeswoman recently told Decision Marketing: “I’d point you to our blog post which says the ICO’s draft guidance on consent is a good place to start right now. It’s unlikely that the guidance will change significantly in its final form.”
Final GDPR consent guidance may not be out until April
DMA tells firms: don’t expect all the answers on GDPR
Americans streets ahead of UK firms with GDPR plans
Firms finally wake up to GDPR but despair about future
Brace yourselves for the GDPR data ambulance chasers
ICO set to launch dedicated GDPR hotline for SMEs
ICO stands firm on ‘over strict’ GDPR consent guidance
GDPR fears mount over delay to ICO consent guidance
Third-party data crackdown will wreak havoc says DMA
DPN joins calls for more urgency over GDPR guidance
UK bodies publish GDPR ‘legitimate interests’ guidance
ICO insists GDPR guidance will cover legitimate interest
Industry on alert over third-party data legal crackdown
DMA joins forces in bid to demystify legitimate interests
GDPR consent updates spark chilling warning to brands
GDPR compensation to dwarf £30bn bill for PPI claims