So, the EU General Data Protection Regulation (GDPR) is here and the sky hasn’t fallen. Some have reacted with an eye roll and a muttered “what did you think was going to happen?” Others will think it’s Y2K all over again: a big build up for nothing.
Of course, the world post-25 May 2018 looks very much the same as it did before, but it’s much too early to pass judgement. The effects of the GDPR are coming – maybe not today, maybe not tomorrow, but soon, and it’s important to recognise what to expect. The Regulation was never going to be a light bulb moment for data privacy; rather, it’s signalled the start of an ongoing change, with organisations and individuals coming to terms with the practicalities of the law.
The majority of organisations still haven’t fully met the GDPR’s requirements, so the next few weeks will proceed as normal, with staff planning and implementing security controls with an increasing sense of urgency. The few organisations that have met the compliance requirements will know, more or less, what to expect in terms of organisational structure, but one big unknown is how individuals will react. On the one hand, most individuals aren’t aware of their increased data subject rights, and until the promised public awareness campaigns begin, it’s possible that organisations will get away with minor errors and receive very few data subject access requests (DSARs).
On the other hand, it wouldn’t be surprising if knowledgeable individuals responded to the recent barrage of GDPR emails from organisations that hold their data by submitting such DSARs. This might be simply a matter of good practice; there will be organisations that individuals didn’t realise even had their data, so they want to check what data they hold and how they’re using it.
There’s also the very real possibility that people will submit DSARs in an attempt to expose organisations as non-compliant. If an organisation is unable to provide the requisite information within 30 days, individuals can file a complaint with the organisation’s supervisory authority. If past data breach incidents are anything to go by, organisations that fail to meet a request can also expect a flurry of negative PR on social media.
What about the massive fines?
Damaged reputations are one thing, but the biggest talking point for most organisations has been the prospect of €20 million fines (or 4% of global annual turnover, if that’s greater). Many organisations have been scared straight by this danger; others have said it’s an empty threat and refused to comply with the GDPR until there’s evidence that fines will be handed out.
The problem is twofold. First, supervisory authorities have expressly said that fines will be a last resort and only levied if organisations flagrantly disregard the Regulation or commit repeated offences. No one should expect a big-name organisation to be made an example of and slapped with a €20 million fine in the next week or so. However, that doesn’t mean organisations will get away with violations. Supervisory authorities can discipline organisations in a number of ways, including enforcement action, and even moderate financial penalties could have huge consequences.
Second, it takes time for fines to be issued. The supervisory authority needs to become aware of a possible infraction, investigate it and decide on an appropriate course of action. The process will take weeks, if not months, so the first publicly announced fines related to the GDPR probably won’t come until at least July 2018.
But that might not stop a concerning narrative forming that fines won’t be coming, causing organisations to take the GDPR less seriously. By the time they realise their mistake, it could be too late – and given that they flagrantly disregarded the Regulation, they would, ironically, be among the few organisations to receive strict penalties.
How to achieve GDPR compliance
If you’ve not yet implemented the GDPR’s requirements, you’re not alone. Many organisations have either run out of time or only learned about the Regulation recently. But there’s no need to worry. As we said, as long as you can demonstrate that you are taking compliance seriously, you’re unlikely to receive a major fine. The important thing is to crack on with compliance as efficiently as possible. You can get expert advice on how to do this by reading our free green paper: EU General Data Protection Regulation – A Compliance Guide.
This guide provides an overview of the key changes introduced by the GDPR, the scope and impact of the Regulation and the areas that organisations need to focus on.