Companies looking for definitive answers on how to comply with the looming GDPR are barking up the wrong tree; organisations will have to make their own decisions on how best to comply with the new regulation.
That is the rather worrying view put forward by DMA head of preference services, compliance and legal John Mitchison at a charity event late last week, at which he said organisations will not be given fully comprehensive guidance telling them what to do in every scenario under GDPR.
Mitchison told delegates at a Westminster Social Policy Forum seminar on charity fundraising that, in the absence of this advice, companies will have to make their own decisions about how best to do things in a compliant way.
“I think we’re lucky that the GDPR is a principles-based regulation and is not prescriptive,” he said. “So if you’re a glass-half-empty person, you might take this to mean you’re never going to have all the answers. There are just too many variations on what people do to have a prescriptive rule on what to do in every situation.
“If you’re more of a glass-half-full person, you’ll see this as giving you flexibility: you make the judgements yourself on how to do it and the way you do it is through the process of accountability.”
Mitchison said accountability was embedded in the GDPR in a way that meant it was not enough for organisations simply to comply – they also had to show that they were complying.
To achieve this organisations would have to put in place technical, organisational measures, as well as training programmes, policies and audits, to ensure they have the proof to justify what they have done if anybody came asking.
He said: “Ultimately, you take into consideration the legislation but, because there are going to be no definitive answers, you have to make a business-risk choice about how you’re going to go. If you can ensure you’ve got an accountability process in place, the chances are you’re going to be doing all right.”
Mitchison added: “It might be a big change, but I don’t think it’s the apocalyptic disaster that a number of GDPR consultants who have conveniently appeared out of the woodwork would have us believe.”
Related stories
ICO stirs hornet’s nest with plans for huge rise in fees
Lack of GDPR guidance fuels fears over bombardment
Charities call for Govt action to avoid GDPR meltdown
New industry body to tackle threat to outbound calling
ICO recruitment drive hit by scramble for GDPR experts
GDPR fuels major recruitment drive at UK businesses