We’ll make you GDPR compliant …
… just pay us £100 / £500 / £1,000 / £10,000 / £50,000 (delete as appropriate)
People keep saying to us ‘we are GDPR compliant’ (and are probably totally unaware of the Data Protection Act 2018) and many of them then refuse to say any more about it.
Typically, those who do say more, state:
- Had a ‘consultant’, at substantial cost, provide them with a set of ‘GDPR compliant’ documentation
- Bought ‘GDPR compliant’ software
- Had an IT security company make them ‘compliant’ by making their systems secure
- Have deleted their whole marketing database
… and, of course, they have avoided a fine of €20,000,000!!
Much of this ‘support’ has been provided by people who are good at IT, HR, marketing, web development … not specialists in data protection.
Two specific unnamed examples of clients who I feel have been abused by suppliers:
- A small charity, far from incompetent in compliance and legal matters, downloaded a bespoke ‘GDPR Toolkit’ from a Third Sector Interface organisation. They were charged £220 for this. They took one look at the large document and decided that it meant nothing to them and arranged to spend a half day with me to advise them on what to do.
- find out the requirements
- outsource the provision
Who is GDPR compliant?
Let’s get real. Nobody really knows what it means to be ‘GDPR compliant’. If we did know there wouldn’t be all this discussion on LinkedIn, arguing about what is meant by phrases (including two from my favourite Article 32) like:
- ‘high risk’,
- ‘large scale’,
- ‘appropriate technical and organisational measures’,
- ‘including inter alia as appropriate’
- ‘in particular where the data subject is a child’,
- ‘compelling legitimate grounds for the processing’
We can all have an opinion on what these mean, but nobody really knows. The guidance from the European Data Protection Board (EDPB) helps, but still leaves it open to interpretation. These phrases will probably become clearer over time
Who is not GDPR compliant?
Many people think that compliance is just about security of personal data. While appropriate security is essential, there is much more to compliance, principally relating to your uses of personal data and how you treat data subjects.
Other people think compliance is just about having appropriate documentation (policies and procedures) in place. Again, this is essential, but is useless without some level of understanding of the GDPR and its requirements … and knowing what is said in your documents. Documentation needs to record the rationale for your decision-making on all data protection matters. It is very unlikely that documents sold by a consultant will include this.
Yet other people think that compliance is all about having consent to process people’s personal data. This is a particularly pernicious myth. Consent is one of six possible legal bases for processing personal data for a particular purpose. If any one of the six applies then that is enough and to ask for consent may actually be misleading and an invalid legal basis.
Other people think having a ‘compliant website’ makes them compliant. I don’t really know what a compliant website is, but I can certainly recognise some non-compliant websites, e.g. a site with a pre-ticked consent box or one without a privacy notice. Again, apart from the issues I’ve just mentioned, the biggest issue probably isn’t the website itself but what you do with any personal data obtained through the website. You need to understand the obligations imposed by the GDPR.
Some people have deleted their whole marketing database because they think direct marketing is not permitted under the GDPR. Again, they’ve probably had bad advice from people who think this is what the GDPR is about, there are certainly legitimate (pun intended for the cognoscenti!) ways of marketing under the GDPR. Ceasing direct marketing is unlikely to make you compliant.
What should you do about GDPR compliance?
The $64,000 question.
If you feel you have been a victim of the Big GDPR Confidence Trick get in touch with us – we will be happy to give you an hour’s telephone support to help you see a way forward. Our advice is likely to include the following.
Firstly, be proportionate in your response to the GDPR – essentially this means that small organisations generally don’t need to do as much as big organisations. This is not meant to put you out of business. The Information Commissioner’s Office (ICO) has assured us that nobody is expected to be perfect, but you must be able to show you are trying – a plan of action which you can show you are following is a good start. Compliance is a journey which will never be complete.
Make sure that someone (data protection lead?) in your organisation has a reasonable understanding of the GDPR and its requirements. This probably means either extensive reading or attending a course. Make sure the course is delivered by someone who specialises in data protection and isn’t someone who suddenly became an expert yesterday. The level of course needed will depend on your organisation (size, complexity, sensitivity of data, regulatory issues).
After the course the data protection lead may well be in a position to drive compliance, but will certainly need support from across the organisation. If this hasn’t been done already it is essential to carry out a personal data audit (also known as a data mapping, data asset register). This records the personal data you process and what you do with it. It may also be appropriate to buy template documents, in which case it is essential to read them carefully and adapt them your needs and how you operate, using the information in your personal data audit – otherwise they will be useless. If you deal with a large amount of sensitive data or vulnerable data subjects it may be appropriate to get support from a reputable consultant, who should be able to make things understandable and limited to what you need.
Some sort of training for all staff is essential. If you have an infringement of the legislation and it is caused by a member of staff who has not had training in that particular aspect of compliance you are likely to have a major problem.
The important thing to remember is to be proportionate and think about the journey. Don’t try to do everything by tomorrow, but make sure you have a plan and keep it moving.
Footnote: In this blog I have referred to the GDPR. I should really have referred to data protection legislation – in the context of the UK this includes the GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations.