GDPRubbish: Misinformation, scaremongering, and panic
Those who can, teach data protection strategies. Those who can’t, promote data protection solutions.
The General Data Protection Regulation (GDPR), the overhaul of data protection and privacy standards across Europe which becomes enforceable on the 25th of May 2018, is being squeezed for every drop of snake oil possible.
Despite responsible providers’ best efforts to rise above it, the onslaught of “GDPRubbish” has sadly become the story itself. Even the UK information commissioner herself has had to start a series of blog posts busting the ridiculous myths being spread about GDPR.
The first step in healthy GDPR compliance is awareness: gaining an informed understanding of what the data protection revamp does involve. That means being able to separate the GDPRubbish from the GDPR and recognise what the requirements do not involve.
As your accountancy practice works towards the May 2018 deadline, be aware of these widely peddled falsehoods:
Myth: fines! Fines! Fines! OMG fines!
The most obvious sign of GDPRubbish is any advice which mentions fines in the first paragraph. We have even seen a reputable news channel reporting fines of up to one billion pounds, a sentiment best expressed in Dr. Evil’s accent.
While data protection regulators can and will increase the number and frequency of fines under GDPR, these will be necessary, proportionate, and only ever applied as a last resort. The fines totalling a percentage of a company’s global turnover, be that one billion pounds or not, will be reserved for the largest companies processing the biggest volumes of data and committing the worst data breaches.
Myth: This is EU overreach
GDPR is an update, overhaul, and modernisation of data protection rules which have existed across Europe since 1995. In the UK, these rules were brought into UK law as the Data Protection Act of 1998. GDPR is, in fact, already the European legal standard, but does not become enforceable until 25 May 2018.
The businesses which will struggle the most with GDPR compliance were the ones that were not in compliance with the existing UK data protection framework to begin with. Those who were already working at healthy levels of data protection compliance will find GDPR’s new requirements both easy and practical. Those who were not will have more work to do, and in that light, the effort spent on GDPR compliance will be the cost of catching up with what they should have been doing all along.
Myth: It won’t matter after Brexit
One of the more dangerous misconceptions about GDPR is that it will not apply after the UK leaves the European Union, whenever that will be. The UK government has already confirmed that we will go into GDPR and that it will remain the UK data protection standard for at least several years after the divorce.
The UK’s proposed Data Protection Bill, a long-term transitional arrangement between GDPR and any post-European data arrangement, will be introduced in Parliament in September, and its progress should be carefully monitored by accounting industry bodies.
Maintaining European data protection standards post-Brexit is not a mere matter of administrative convenience. One of the key principles of European data protection is that non-EU countries receiving European data must work to a data protection system deemed equal and adequate to European standards (e.g. GDPR). To abruptly leave GDPR on an arbitrary calendar date would cut off UK-European data flows overnight, leaving everything from web hosting to cloud storage to the UK’s entire digital sector floundering in its wake.
It is not in any government’s interest to cut off its nose to spite its face, and it is not in any accountancy practice’s interest to ignore a legally enforceable data protection standard based solely on its origin.
Myth: You can become “GDPR accredited” or “GDPR compliant”
Data protection, both before and after GDPR, is about integrating common-sense, responsible, and thoughtful user protection steps into your practice’s everyday processes and workflows. “Compliance” can only ever be a snapshot of one day’s effort. Believing that your business is “GDPR compliant” because you have completed a compliance process, be it an internal audit or an external training course, is a guaranteed way to make that compliance slip into meaninglessness.
Likewise, believing that your business has been “GDPR accredited” through a training course will only indicate that you have wasted your money. As of this writing, the UK’s data protection regulator, the ICO, has not approved any accreditations, certifications, or training courses, an awkward detail which has not stopped service providers from offering “authorised” courses all the same. Your practice would be better off having no training at all than displaying a certificate from the Walter Mitty Institute.
Facepalm: GDPR service providers who aren’t GDPR compliant
Finally, if the AccountingWEB team had a pound for every company we have seen promoting GDPR compliance services, software, or a white paper using a site which itself is not GDPR compliant, we would be able to enjoy a very good night out.
When choosing a service provider to help you on your compliance journey, it is your responsibility to make sure they are walking the walk. If you can spot the ways that a potential GDPR compliance provider has failed to comply with the provisions of the very thing they are teaching, congratulations: you know more about the regulation than they do.