There was much hype around GDPR in the lead up to its introduction – but what about now that it’s in full force? Nicola Hartland, CEO and Co-Founder of The Data Support Agency warns of the future challenges and how we move forward.
According to The Economist, the GDPR is the most complex piece of legislation the EU has ever produced. It’s taken many months, possibly even years, for companies to comprehend the 99 articles and 173 explanatory comments that make up the legislation and put them into practice. And now, the GDPR is finally here.
Pre-25th May, it seemed like wherever you turned an individual or organisation offered compliance warnings, opinions or tips. There’s been so much discussion about becoming compliant that little is known about what to do in a world post-25th May. But the impact of GDPR is coming and it’s important to know what to expect. So, what happens now the deadline has passed?
Those who are still non-compliant
In February, the Federation of Small Businesses (FSB) revealed that 90% of small firms were not prepared for GDPR. On enforcement day, this statistic hadn’t much improved with FSB national chairman, Mike Cherry, stating: “the likelihood is that many of the UK’s 5.7 million smaller businesses will not be compliant”. According to EY’s risk advisory senior manager, Luther Teng, this was because small businesses were being tactical in their compliance actions and prioritising certain aspects of the regulation in a struggle to complete everything.
The confusing nature of the legislation doesn’t help things either. The regulation is based on general principles rather than stringent rules meaning that organisations have to interpret what they need to do to be compliant. For small businesses in the run-up to enforcement day, this meant cherry-picking aspects of the legislation that appeared to be the most important. So, post-25th May we can expect many small businesses to continue with their compliance procedures.
Many SMEs would be relieved to hear that the ICO is not looking to make an example of small businesses who fall foul of the new law. This is indeed reassuring for both small organisations who failed to get their data house in order in time for GDPR D-Day and those who could be at risk of a data breach due to a lack of in-house knowledge.
The ICO has stated that in GDPR’s first year, they’ll enforce the law by advising rather than penalising. So, rather than toss their compliance plan to the bottom of the in-tray, SMEs should see this statement as an opportunity to play compliance catch up.
A surge in reporting?
The impact of GDPR in practice has become transparent in the last few weeks i.e. the flood of emails with updated privacy policies while begging subscribers for consent. Many businesses may over-comply due to penalty anxiety engendered by media reports. This could result in a surge of breach notifications as small businesses start to detail instances to the ICO that don’t require reporting.
Additionally, data subjects may be keen to take advantage of the new rights they’ve acquired, whether it be asking organisations to delete all the data they hold about them or exposing companies of non-compliance. The latter was the case of an Austrian activist accusing Facebook, Google and their respective subsidiaries of data breaches on enforcement day. If an organisation doesn’t respond to a data subject access request (DSAR) within 30 days, the data subject can file an official complaint with the supervisory authority.
The consequences for non-compliance with the GDPR have been extensively discussed in the media. The possibility of being fined 4% of annual turnover is enough to make anyone hypersensitive. It’s important to know that they will only occur as a last resort when companies deliberately ignore the legislation or repeatedly commit offences.
But that isn’t to say that companies will get away with non-compliance:
- The ICO can discipline disobedient organisations in a number of ways, including a request for enforcement action or an issue of minor monetary penalties;
- Non-compliant organisations may lose their commercial advantage and new business to competitors that are GDPR compliant;
- With the scope of GDPR under public scrutiny, the bad publicity received could be detrimental enough in terms of brand value and reputation.
Eventually, companies will get fined, but it won’t happen immediately. The process will take months, potentially a year, due to appeals and protests.
It’s likely that individuals will increasingly take advantage of their newly bestowed data autonomy by exercising access requests. However, an increase in SARs could strain the infrastructure of many small businesses if they haven’t implemented a smooth process for responding and monitoring them. As such, it’s paramount that a resilient process is in place for businesses to act quickly.
GDPR compliance is expected to act as a figurehead for strategic decision-making as organisations start to choose to work with business who demonstrate a commitment to data protection over their non-compliant counterparts. For instance, demonstrated data compliance would give a supplier business advantage over its non-compliant competitor. Similarly, GDPR focussed supply chains are more likely to retain and win contracts than those who are not. The message here is to always consider correct data policy as an integral element of business strategy rather than viewing 25th May as the finish line.
Over time, many companies will realise that they need resource aid – whether it be identifying data oversight or the integration of new policies into business procedures. For some companies, this will mean appointing a Data Protection Officer (DPO) who ensures that the organisation complies with GDPR. However, the number of readily available DPOs may be slim pickings, meaning that there may be a rise of the part-time or virtual DPO as an affordable alternative to satisfy demand.
According to Eduardo Ustaran of Hogan Lovells law firm, the GDPR legislation is four to five times more complex than existing law. Adopting GDPR is going to be a learning process and inevitably it will take small businesses time to find their feet.
But now that the enforcement date has passed, and the initial sense of panic has dispelled, SMEs have the opportunity to start or progress their GDPR project in a structured, properly thought out way that is tailored to their organisation. The legislation will continue to be updated and the Government has confirmed that after Brexit the GDPR will still form part of UK law. As such, small businesses would be wise to keep an eye on the latest updates, the ICO website and the FSB website for amendments.