After the quick-fix, “Buy my solution, it’s the best-est on the market”, doom-laden commentators who were talking about €20m and 4% fines prior to 25th May 2018 we find ourselves in an environment where the pendulum has swung completely the opposite way.
I have seen several people commending businesses for scaling back their preparations for GDPR and Data Protection Act (2018) because it impacts the bottom line positively to take the apparent cost of compliance out of the business.
Further, I have seen so-called experts saying that the ICO won’t fine businesses because they didn’t fine many businesses under Data Protection Act (1998)… What they seemingly always fail to mention is that there is a mandatory obligation to report breaches (with certain caveats from the ICO) which didn’t exist under the previous legal framework.
Liars, fools and charlatans…
This sort of thing makes my blood boil. Of course, you may suggest that these people are being pragmatic and that they are potentially undermining a central plank of my business. Fine…
In that light, taking their lead, I would suggest that other ways to save money include:
- pulling out all of your Health and Safety protections – that’ll positively affect the bottom line in the short term!
- contacting your accountant and either firing them or stopping their service – that’ll positively affect the bottom line – fewer salaries!
- Firing your auditors – another cost-saving!
- Cancelling your insurances – what a tremendous saving that will be!
- Getting rid of your entire compliance function – they’re just another unnecessary overhead!
All of those ploys only work right up until the point something goes wrong.
- Someone has an accident and you have to explain to the HSE that the lack of warning signs for a slippery floor was a cost-saving exercise.
- Someone dies on a building site because they had no personal protective equipment as the result of a cost-saving measure. “Corporate Manslaughter” – much?
- Your accounts aren’t audited and your tax returns are wrong, leading to sanctions for directors and the HMRC turning up wearing latex gloves and telling you to “assume the position”.
None of those ideas make any sense when the organisation has a legal requirement to comply.
DPA (2018) is in force now. Organisations must comply if they are handling personal data. Data breaches (with certain limited, generally-defined exceptions from the ICO) must be reported – it’s mandatory within the aforementioned parameters.
Article 4(12) of the General Data Protection Regulation defines a data breach as:
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
Organisations need to achieve a defensible position. Having the necessary processes, policies and training in place is a bit of a hill to climb, admittedly, for some organisations who may have dismissed the Data Protection Act (1998) as a bit of a joke, or were simply unaware.
DPA (2018) isn’t a joke.
Trying to hide behind some idiot’s statistics about the likelihood of being audited or breached is no better than putting your fingers in your ears and shouting “Blah, blah, blah!” at the top of your voice, hoping that the challenge will go away. You may have a data breach. You may have a customer with an axe to grind and data protection is the grinding wheel they can use most freely and effectively.
Having no preparation in place is like having no insurance.
Both could potentially lead to your business disappearing.
You may not get data protection right, one hundred percent.
Someone way cleverer than me said that GDPR preparation for audit is like a maths exam question. Show that you’ve tried a pragmatic approach to the problem. You may get the wrong result, but the ICO will look more favourably on your particular circumstances than if you were to say “Well, this bloke on the internet said that we were statistically unlikely to be breached or hassled by data subjects, so we didn’t bother to do anything…”
The chances of being audited out-of-the-blue are minuscule-to-non-existent, yes. The chances of your business upsetting a customer, who runs into the arms of a “no win/no fee” solicitor? Quite a lot higher. These are the “freak accidents” which good preparation helps to mitigate.
These people who are saluting organisations which are disassembling their GDPR preparations or advising that no one will be fined so you shouldn’t bother preparing for the regulation? Do you seriously think that they will pitch in and help if anything happens and their advice is proven to be the mindless bulls*** that it undoubtedly is?
Of course they won’t.
They’ve proven by their moronic proclamations that they have no place advising anyone on anything in the corporate world.
If you have a problem, they will have disappeared (much like your professional standing) if you’re in the unfortunate position of proving that their statistics and short-termist view of data protection is entirely wrong.
Some people aren’t your friends, regardless of how comfortable they make you feel when they tell you that it’s okay to ignore your legal responsibilities and ignore common sense precautions, in the light of a new piece of legislation which can come with severe sanctions and obligations…
I’m most probably not your friend, either.
Well, possibly not yet.
But… Sometimes it’s easier to tell your secrets to a stranger. The difference between me and these bozos I’ve described is that I stand by my advice, it is based on years of professional experience.
I don’t need to “showboat” to the masses to get attention.
People can easily find me if anything goes wrong.
I see the value in compliance and protection – that’s why I have professional indemnity insurance. I wonder how many of these other “friends” have got rid of that to save money?
I’d wager – none. They will all have their backsides covered. And yet – they’re advising you not to?
Some people aren’t your friends.
The people giving you idiotic guidance aren’t even your enemies.
Most often, they’re just attention-seeking hypocrites.