GDPR aarrrrggghhhhh

So 25th May 2018 is the date set for when the world changes forever as this marks the date when the general data protection regulation ( GDPR ) comes into force. The summary of its far reaching implications are succinctly revealed in the extract from the EU GDPR portal below;

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy    www.eugdpr.org

I suspect that every company across the country or at least every poor soul that has been designated the GDPR representative, has spent the last 6 months trying to make sense of the legislation and the true impacts on the business operations. ARE WE COMPLIANT ? is the question every business owner , HR manager , board of Directors and front line consultants are nervously asking. 

No doubt you have tried to make some sense of the pending changes on the GDPR portal as provided by the EU, https://www.eugdpr.org/ I even tried to search for the specific Articles that make up the new directive, but they remain elusive. With a lack of detailed information, it is little wonder a whole new industry of experts, lawyers and consultancies have been created to whip up fears about non-compliance whilst offering audits and ongoing support for handsome sums of money.

Before we had GDPR, we had the Data Protection Act, and as the ICO asserts in its useful article, ‘preparing for GDPR ; 12 steps to take now v2.0’ , many of the main concepts and principals are much the same as those provided for in the current Data Protection Act, but the world has changed and our data is now commoditised and highly prized.

Data privacy should be a fundamental tenet and every citizen’s right. But as much as we bemoan the abuses to our privacy by organisations who are able to manipulate this data and- if you believe the press – even able to sway elections, we are still very happy to sign up to instagram, facebook, twitter, linked etc. We willingly impart all manner of sensitive information and with most transactions now handled online, our exposure to abuse and manipulation is substantial. Changes to the current legislation was necessary to address these issues and the intentions of GDPR are fundamentally well intended, but if there was ever a hammer to crack a nut , then I can think of no equal. 

Every single business in Europe now has to comply. This is not a bad thing as the standards need to be universal, but I doubt whether the group of individuals who conjured up GDPR could have imagined the huge headache that its implementation was going to cause. Recently, I met a small public funded body with 6 permanent staff. They had identified 10 different data ‘touch points’ with the general public and their processes. It has taken them months to draft and administer the new policies in line with GDPR but admitted on closer inspection, nothing materially was going to change with their operations. I'm not suggesting policies are just a face saving exercise, but you have to question what is actually going to change for the majority of businesses? It will be interesting to review the full impact over the next 12 months. In the meantime, I have lost count on how many emails I have received from websites, business and organisations trying to reassure me that my data is safe. Once upon a time we suffered spam emails, but with intelligent filters and sophisticated systems, the spam we now received is from companies we have willing signed up to. But when the only ‘data’ they hold is my email address, do I really need ‘what hifi’ magazine or ‘Mr & Mrs Smith’ telling me that everything is ok ?  I was happy to sign up and can remove my details at any time and i'm not sure if my privacy was compromised, what damages that could occur to its abuse?  

The regulations are very clear that fines could be huge and so companies, driven by fear are going overboard to prove they are compliant, should an inspector come knocking. We have spent many hours preparing for the big day. We have mapped every process, drafted new policies, amended websites and databases, attended numerous conferences and appointed a GDPR representative. But the only sensitive data we hold is the individual’s emails and addresses as provided on candidate’s cv which is taken from direct applications or job search websites.  Added to this are the vagaries in the ‘legitimate interest’ clause which will no doubt keep the lawyers busy for years to come.

There seems to be some collective hysteria abound and we all know the problems that come from having just a little bit of knowledge. By example, this week we received an email from a candidate that stated ; …… I would like you to furnish me with ALL the data that you hold on me this is in-line with the data protection law in the UK coming into force soon with the introduction of the EU General Data Protection Regulation (“GDPR”).   Our GDPR policy was kick started and we were able to provide confirmation of his original application and that all information (his cv ) had been deleted. We never did get a reply to our email.  

So we are now poised for the big day but the Data Protection Bill which provides for how the provisions of GDPR will apply in the UK is still working its way through parliament. www.ico.org.uk and the Gov.uk site was last updated in September 2017.  I have been told that there are only 10 inspectors for the whole country, and without the new Data Protection Act, it’s a wonder how they will police this new legislation. Good luck everyone.