If you were celebrating the Chinese New Year last week, you’ll probably know that 2018 is a Dog Year, according to the 12-year Chinese astrology cycle. It’s also the year of GDPR: on 25 May the countdown that started nearly two years ago will end and the Regulations will come into effect.
Given the amount of promotion there has been about the GDPR, (how many conferences/seminars/webinars have you been/listened to?), many organisations are just starting to realise that the GDPR really is going to affect them. And there seems to be an increasing sense of panic in the air.
But is that panic truly justified?
In many respects the 25th May can be seen as a milestone, rather than a deadline. A milestone on what, for some organisations, will be a long road to realising that good data protection is not just a matter of compliance – it’s also about adopting the right mindset.
Data protection is about protecting people – not data. That means keeping their personal information secure, being transparent with them about what’s going to be done with that information and respecting their right to privacy. Why bother? Because only by doing that can an organisation win people’s trust that their information is safe.
Compliance can be achieved by 25 May (just, if you’re starting now), but adopting the right mindset will take longer. For most organisations that will probably take years. So rather than simply panicking over the next 3 months, organisations should also begin to think about their data protection arrangements beyond the 25 May (after all, as the Information Commissioner has recently said, the GDPR is not another ‘Y2K’ – we don’t all get to breathe a sigh of relief because the ‘Millennium bug’ didn’t shut down our electronics after all).
Those arrangements should include considering appointing a Data Protection Officer (DPO). Someone who understands that the GDPR has a complex set of concepts, principles, rights and rules. Someone who can prevent or stop misinterpretations and misunderstandings (e.g. that under the GDPR, consent will be the only lawful ground for marketing in any circumstances).
Demystifying data protection law is essential to meet the demands of the GDPR, but it is not an easy task.
It takes effort and it takes time. Above all, it takes an independent and pragmatic DPO. (Coincidentally, people born in a ‘Dog Year’ could make the ideal Data Protection Officer; they are said to be loyal, straightforward, honest and capable of being highly responsible at work).