Everyone knows what is at stake regarding fines relating to General Data Protection Regulation (GDPR) non-compliance; up to €20 million or 4% of global annual turnover, whichever is greater, but what will really happen on 26 May 2018 if organisations are not compliant?
There have been comparisons between the GDPR and the Y2K Millennium Bug, albeit less apocalyptic. Regardless of how organisations may be feeling in the run-up to the impeding deadline, the digital world is not going to implode on 26 May.
Of course, 25 May 2018 is an important date in the calendar for every business and we have been warned by the Information Commissioner’s Office (ICO) that there will be no grace period. However, that date is not going to be the end for the GDPR; it is the start of an ongoing and evolutionary compliance journey for every organisation.
The ICO is aware of the real world in which businesses need to operate and takes a pragmatic view on compliance and enforcement. Organisations are not going to be issued with a €20 million fine on 26 May if it is not 100% compliant.
All businesses can do is its best to meet legal requirements and mitigate any adverse impact that its processing may have on data subjects and their personal data. While all of the GDPR data protection principles must be satisfied, focus should be on the accountability principle. The reason being that if an organisation suffers a data breach or is subject to a complaint, in determining what enforcement action to take, the ICO will take into account, amongst other things, what process and procedures have been put in place to demonstrate compliance.
As Elizabeth Denham, the UK’s information commissioner has stated, unlike the Y2K: “There is no wondering if this new legislation will happen, it will”, and now is not the time for employers to be burying their heads in the sand.
Sarah Thompson is an employment lawyer at international law firm McGuireWoods