Well I’ve been trawling through a morass of information from different sources and it’s all starting to look more and more meaningless the harder I stare at it. Like saying or writing the same word over and over again until it loses all shape and meaning and looks, well, really very weird indeed (hinge, hinge, hinge, hinge, hinge, hinge, hin.. there we go!).
In the UK the General Data Protection Regulation will be enforced by the Information Commissioner’s Office (ICO). Now some have criticised the ICO for being a bit slow in offering useful guidance on this topic. I empathise with both sides of the fence. To my eyes the GDPR is a scary, huge animal that has swallowed the Data Protection Act 1998 whole, without it touching the sides. Its scope appears to be thrillingly wide so you can see why the ICO might be a little shy in jumping right in. For those of us on the other side though the conversation seems to have been:
Us: “How do we ready ourselves o wise one?”
ICO: “We can’t tell you that”
They have produced some guidance though, bless them. Go to their website and you can download a copy of “Preparing for the General Data Protection Regulation (GDPR)”. Yes, a 12 step program. I’ve also got a copy of their “Conducting Privacy Impact Assessments Code of Practice” and “Consultation: GDPR Consent Guidance”. I’ve also got a copy of the guidelines on Data Protection Impact Assessment (DPIA) from the otherwise enthralling Article 29 Data Protection Working Party. These people can be tracked down to the EU website (because the GDPR is an EU initiated beast after all). This all sounds like I’m making some progress, no? I thought I was until I got caught in some kind of closed loop of logic the other day. The sort of thing that would seem to make time travel impossible i.e. a paradox that I couldn’t seem to escape from. I’d got caught, trapped, enmeshed between 3 different guidelines/codes and found I could make no progress. It started innocuously enough with a bullet point list which seemed important: 3 key ways in which an organisation can demonstrate that it is compliant with GDPR. It was just too tempting to resist even though every sensible fibre in my body was screaming “Get away from there! It’s a trap!” Before I knew it I was tangled up in Data Protection Impact Assessments and, well, suffice to say I’ve never really recovered from it. In short I needed the DPIA as a shortcut to demonstrate compliance but found from other literature that a DPIA was not appropriate for our practices. There was a flowchart you see. From one box/question it was a No or a Yes and onto the next box/question. I got stuck in the top left hand corner of the chart, never making progress, always circling back to the start.
You may have also noticed a little something in that list of guidance that speaks of something significant. To wit: “Consultation: GDPR Consent Guidance”. Yes, Consultation. Let me give you a taste of this tome just in case you haven’t got a copy yourself:
“However, as the GDPR is a Regulation that applies consistently across the EU, our guidance will need to evolve to take account of future guidelines issued by relevant European authorities, as well as our experience of applying the law in practice from May 2018. We intend to keep this guidance under review and update it in light of relevant developments and stakeholders’ feedback.”
So the GDPR is a living beast, growing, changing, evolving and so the guidance from the ICO will change with it. Yes, it sounds like they’re ‘making it up as they go along’. However, that’s got to be a good thing hasn’t it? It speaks to me of common sense. I say this because what has been getting a lot of coverage has been the eye-watering levels of fines that will be imposed for infractions but this approach suggests that the ICO isn’t saying “These are the rules, cross this line and it’ll cost you”: they don’t seem to be wanting to make revenue from fines, they seem to want to make data protection work for everyone.
Whatever business you are in you need to look at GDPR and see how it affects you. What I’m going to do is work my way through the guidance I have yet again, produce my own flowchart for risk, and address the checklists. I’ll also be hoping. Hoping because one of those 3 key ways in which an organisation can demonstrate that it is compliant with GDPR is to adopt an industry code of conduct. So I’m hopeful that the Strategic Mailing Partnership will come up with something that relevantly targets the areas of GDPR which affect our business. It would be foolish of me if our approach hinges (hinges?! Does that look right to you?) on the SMP coming up with something tailored just right for us so I’ll continue to wade through the morass and put in the work. I’ll maybe see you on the other side….