No ‘fixed point’ for GDPR compliance, says ICO chief

No ‘fixed point’ for GDPR compliance, says ICO chief

The Information Commissioner’s Office (ICO) is not planning to take a hard line on the 25 May 2018 deadline for compliance with GDPR, Information Commissioner Elizabeth Denham has said.

In a blog on the ICO website, she said although the eight GDPR myth-busting blogs run in 2017 were helpful in preparing for the new legislation, there was one in particular that she wanted to bust: GDPR compliance is focused on a fixed point in time – it’s like the Y2K Millennium Bug.

Denham said there was a lot of concern from organisations about preparing for the GDPR, as it involves a lot of work to get ready for the new legislation.

She said there were comparisons between the GDPR and the preparations for the Y2K Millennium Bug. In 1999, there was fear that New Year’s Eve would see computers crash, planes fall out of the sky and nuclear war accidentally start. However, nothing of the sort happened.

Similarly, in the run up to 25 May 2018, there have been anxieties too, including making early examples of organisations for minor breaches or reaching for large fines straightaway and that the new legislation is an unnecessary burden on organisations.

She reassured those that have GDPR preparations in train that there was no need for a Y2K-level of fear. Unlike planning for the Y2K deadline, GDPR preparation does not end on 25 May 2018, but requires ongoing effort, she said.

Denham said: “It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.”

Helpline for GDPR compliance

Denham, however, said there will be no ‘grace’ period as organisations will have already have had two years to prepare.

The Information Commissioner outlined key building blocks to ensure organisations implement responsible data practices. These include: understanding the information already available; implementing accountability measures; ensuring appropriate security; and providing appropriate training for staff.

Denham said the ICO’s guidance on compliance would be of significant help. More guidance would be included in the document, she said.