It is finally here. This is the year of the GDPR. A journey that started with an ambitious policy paper about modernising data protection almost a decade ago – a decade! – is about to reach flying altitude. No more ‘in May next year this, in May next year that’. Our time has come. Given the amount of attention that the GDPR has received in recent times, data protection professionals are in high demand but we are ready. We knew this was coming and we have had years to prepare. However, even the most seasoned practitioners are at risk of being engulfed by the frantic fire-fighting mood out there. The hamster wheel of GDPR compliance is spinning faster and faster, but it is precisely now when we must look up, see the bigger picture and focus on getting the important things right.
First on the list is controlling the panic. There is a sense of panic about the perceived lack of compliance with the forthcoming framework which is stressful and paralysing at the same time. Many organisations are just starting to realise that this is going to affect them. Surprise! Those which have been preparing for it – many for the best part of two years – are also realising that the task is far from accomplished while the clock is ticking. But something that is crucial to appreciate is that data protection compliance is not a race. And if it was a race, it would be a marathon or, better yet, an ultra-marathon. The 25th May compliance deadline is in fact not a deadline. It is a milestone in a long process which will probably take years if not decades. So rather than assuming that perfect compliance is a matter of throwing bodies and budget at it for a few hectic months, it is our responsibility to show those who are panicking that the right way forward requires pragmatism and patience.
Because the GDPR involves such a complex set of concepts, principles, rights and rules, misinterpretations are rife. When you add the fact that this new law will coexist with existing ones, things get even messier. A good example of that is one of the most common misunderstandings I keep encountering: that under the GDPR, consent is the only lawful ground for direct marketing. In reality, the most appropriate and common ground to carry out direct marketing activities will be the ‘legitimate interests’ of those promoting their good and services. Separately, under the e-privacy regime, e-mail marketing is subject to a specific consent requirement which will need to meet the GDPR standards of consent. However, the exemption from that rule – the ill-named ‘soft opt-in’ approach, which is basically ‘opt-out’ – is still applicable in certain cases. This means that marketers who have lawfully relied on this exemption should be able to continue to do so after the GDPR becomes applicable.
Another issue which is often misunderstood and has caused a dilemma for organisations is the role of the Data Protection Officer (DPO). A cornerstone of the whole GDPR project, the DPO is often positioned as a fierce watchdog who must distance themselves from the goals of their employers. However, this is a mistaken and counterproductive view of what is in fact one of the most important contributions of the law to real data protection. The DPO’s primary aim is to persuade their own organisations to do the right thing. They need to be influential and they need to be trusted. Knowledge of the business objectives is as important as independence because a DPO who doesn’t understand the business will be an ineffective one. Demystifying European data protection is an essential condition to meet the demands of the GDPR but it is not an easy task. It takes effort and it takes time.
Crucially, when time is short the obvious answer is to focus on priorities and that needs to be the approach right now. What should be a priority then? There are so many to choose from… I would look for those issues that are more likely to make a greater contribution towards data protection in practice. The GDPR’s big novelty is the push towards accountability through practical compliance obligations and this should be the starting point. From creating a workable governance structure and building a comprehensive framework of internal policies to appointing a pragmatic DPO, setting the groundwork for compliance is key. Looking at more specific actions, revising privacy notices and data processing agreements should obviously be at the top of the list, but it will also be important to invest time in developing a workable system of data protection impact assessments – a crucial tool of increasing strategic importance for the future. Finally, let’s not forget about some long standing issues which should have already been taken care of but are always work in progress: preparing for cybersecurity breaches and legitimising international data transfers. The list could certainly be longer but being realistic is now of the essence.
This article was first published in Data Protection Leader in January 2018.