It’s over two years since the wording was finalised and preparations for its arrival began, there’s been a sprint to the finish line but it’s here – it’s the day the GDPR comes into force alongside the Data Protection Act 2018.
There are still a few misconceptions about GDPR so we thought it would be helpful to clear them up.
Misconception 1. It’s all about today (25th May).
No. The GDPR isn’t a one day event on which we all need to be compliant. It’s about the long term. As much as anything, data protection is about you having a sustainable culture in place for considering the data protection angle of your day to day business activities. It’s important not to think of the GDPR as a one day event for two reasons:
1. If you’re not quite ready for the GDPR, it’s not too late to get your house in order. No one should be thinking, “I’ve missed the deadline for complying so I may as well not bother.”
2. For those that are more prepared, it’s equally important not to think of GDPR compliance as ‘job done’ and something from which you can now move on.
Misconception 2. You need to be 100% GDPR compliant.
In our view, there’s no such thing as 100% GDPR compliance. Anyone who claims to be completely GDPR compliant is either devoting all of their resources to data protection (which isn’t what’s expected by the GDPR) or they don’t fully understand the GDPR. Compliance is like a university exam; you want to score as highly as possible but no one scores 100%. GDPR compliance is a spectrum: with ‘What’s GDPR?’ at the start and mythical ‘perfect compliance’ at the end. At the low end of the spectrum is where the potential for big fines happen – it’s where organisations actively misuse personal data or are indifferent to the protection of personal data.
Toward the midpoint, the potential for large fines reduces as you take greater care of data. Somewhere beyond the midpoint, you may not be perfect but the potential for receiving a fine becomes fairly small. Ideally, this is the minimum level of compliance which all organisations should be at, but the goal should be to move comfortably beyond the ‘probably won’t get a fine’ territory.
The point is that you should always be looking to move up the spectrum and improve your data protection practices. There becomes a point where it’s difficult to keep moving up but it’s essential to keep trying as it’s much easier to slide back down the scale with a little complacency here and there.
Misconception 3. GDPR = Data Protection.
The GDPR is very important and it’s the new starting point for all things data protection. But it’s not the only law of which you need to be aware. The Data Protection Act 2018 comes into force alongside the GDPR and adds plenty of definitions, exemptions and variations to the GDPR.
Knowing the GDPR is great, but if you don’t know how it’s impacted by the new Data Protection Act 2018 you may have a slightly misleading impression.
There are also other data protection laws which need to be considered in certain situations, such as the Privacy and Electronic Communications Regulations (which contain important rules about direct marketing).
It’s good to know the GDPR but it’s equally important to understand that it isn’t the only data protection law in the park.
Misconception 4. GDPR is brand new.
The GDPR is new and it is replacing the old law (alongside the Data Protection Act 2018). However, the GDPR has taken the old law and modified it so it’s applicable in the 21st century. Many of the key provisions of the GDPR have been carried over from the old law. For instance, the terminology which we use such as ‘personal data’, ‘controllers and processors’, ‘data processing’ are largely unchanged.
The fact that the new law is a modification of the old law (albeit a fairly extreme update) is important as it means that much of the old guidance and data protection case law still provide very useful guidance on the practical application of the GDPR.
We recently read that “There are no GDPR experts as no one has experienced the GDPR in force.” Perhaps. But there are data protection experts who know how the law has been applied in the past which is a good grounding for evaluating how the law is likely to continue to be applied in the future.
Reality. You’re not alone.
The GDPR is here for the foreseeable future. If you’re not entirely ready for it, you’re far from alone.
Even though it’s now in force, it’s better to start your compliance project a little late, than not at all. If you’re reasonably well prepared, the key is to think about how you can practically maintain compliance going forward.