NEXT month sees the introduction in the UK of the much-heralded General Data Protection Regulation (GDPR), a new set of laws governing the use and storage of digital information, and designed to protect our sensitive personal data in an increasingly connected world.
In some quarters the legislation has been hailed as something akin to digital Armageddon – a set of proposals so draconian that they will very soon serve to smother businesses in a sea of regulations, red tape and million Euro fines.
For others, GDPR fever has been compared to the misguided national angst generated by fears that the Millennium Bug would wipe out computer systems on the stroke of midnight back on New Year’s Eve in 1999. The truth, as is so often the case when it comes to trying to govern something as complex as data, lies somewhere in the middle.
Make no mistake, GDPR is here to stay – even post-Brexit – and its impact is likely to be felt in some shape or form by businesses of all sizes in all sectors.
Much of the hype in the run up to implementation has been around the size of the fines that the EU will have the power to impose on anyone found to be in serious breach of the rules.
This is hardly surprising, as figures of up to 20 million Euros or four per cent of global turnover certainly have the power to make any CEO sit up and take notice.
However, the reality of the situation is that it is highly unlikely that every business will be 100 per cent compliant with every aspect of data protection law from May 25, the date of implementation.
Rather than setting out to be purely punitive, GDPR is really all about making sure that there is a long-term and committed attitude change to use of personal information.
The law is changing to adapt to the much greater use we all make of the fast-growing global data pool.
I believe there’s actually a strong case to be made that the new legislation is potentially good for business, especially in the light of our leaving the EU next year.
Regardless of whether it is a hard or soft Brexit, UK plc will need to be able to demonstrate to its customers and trading partners around the world that it has strong protections in place for the valuable commodity that is personal data, and in many ways GDPR is likely to act as something of a ‘kite mark’ to show that British firms are safe and reliable entities to work with.
Data protection compliance shouldn’t be thought of as a race, however scary the impending deadline seems.
It is meant to be an ongoing commitment and an integral and adaptable part of any business.
So, for any firms out there who have yet to take the time to consider the implications of GDPR, this is absolutely not a repeat of 1999 and we won’t all wake up on May 25 wondering what the fuss was all about.
But by the same token, while the Information Commissioner’s Office has suggested that it won’t impose fines in order to financially cripple, it has made it clear that demonstrating a real effort to minimise risk and mitigate loss will be taken into account if there has been an issue of non-compliance.
The advice is to think of data protection as cultural evolution backed by up by consistent processes rather than legislative diktat backed up by the threat of financial penalties.
Sarah Power is an Associate in the hlw Keeble Hawson Litigation and Dispute Resolution team.