Must you hire a GDPR specialist?
Getting ready
On 25 May 2018 the Data Protection Act 1998 (DPA) will be replaced by the General Data Protection Regulation (GDPR). Whilst the GDPR mirrors many of the principles contained in the DPA, individuals will have increased rights in respect of their personal data, particularly in relation to processing and consent. Compliance with the GDPR is mandatory and, as with the DPA, there is no small business exemption.
Pushing their services
With the GDPR firmly on the horizon, many “specialists” are pushing their services and warning employers about the risks of getting things wrong. Clearly, you’re going to have to be on top of the GDPR when the time comes but must you hire a specialist to help with the preparations? Depending on your business and its available in-house expertise, this may not be necessary. However, if you decide that you need an external specialist to help get on top of the GDPR there are a few things to bear in mind.
A real expert
Firstly, anyone who claims to know everything possible about the GDPR and how it will be enforced at this early stage probably isn’t being entirely accurate. Whilst the ICO has started creating resources for businesses, a number of issues still need to be ironed out. Furthermore, the ICO hasn’t issued comprehensive guidance on the GDPR and it has no plans to do so. It will release official guidance on consent under the GDPR in December 2017 but that guidance won’t cover anything else.
Tip. Draft guidance on consent under the GDPR is available now (see The next step ). The ICO says that “It’s unlikely that the guidance will change significantly in its final form” so this is a good starting point.
Fact from fiction
Another issue to be aware of is that there’s a lot of scaremongering being touted about the GDPR. Indeed, the following misleading statements - all made by supposed specialists - have been brought to the ICO’s attention:
- “all personal data breaches will have to be reported to the ICO without fail”
- “if employers don’t report a breach on time, a fine will always be issued”
- “the GDPR prevents you ringing people to remind them about meetings or appointments”
- “employers that hold personal data on a cloud server can ignore the GDPR as it’s the service provider who has the duty to comply.”
Note. For the record, these are all myths.
Tip. Before you hire a specialist, our advice is to read the ICO’s overview of the GDPR (see The next step ). It explains the similarities with the DPA and describes some of the new and different requirements. This is a live document and will be developed over time. It also signposts users to further information; this may be all you need to get on top of the GDPR. If, however, you conclude that a specialist is required, be sure to scrutinise their credentials and experience.
For the ICO’s draft guidance on consent under the GDPR and an overview of the GDPR, visit http://tipsanadadvice-personnel.co.uk/download (PS 19.17.03).