GDPR – It’s All Going To Be Okay…
Take a look at the most recent ICO blog stating that GDPR is not ‘a burdensome revolution’ - we can now all stop worrying, Well not exactly – this blog seems to ignore the complexity of GDPR, the amount of work required to implement the GDPR changes, and the costs involved.
The blog also ignores the fact that there is little in the way of guidance around GDPR and an awful lot about the consequences of none compliance. This combination of incomplete regulations; vagueness of implementation requirements; and threats of ginormous fines makes me nervous and should be a huge concern to everyone.
The ICO 12 step approach might be okay if you are a blue-chip organisation with an IT team and large IT budget but is meaningless for most small companies. How many SMEs will even know what an information audit is or how to document a risk assessment? The 12 step model might work well for large companies but ignores the thousands of UK SMEs that might not even be aware of GDPR.
Not forgetting the enormous power of ICO to decide that they just don’t like your security approach, data minimisation strategy or operational processes and you have a pretty scary situation.
At some point the ICO has to accept that this is a huge issue for all UK companies and stop pretending that GDPR is just an evolution of DPA and take some action to support UK business. Either that or at least stop threatening everyone with enforcement action and punitive fines. Take the HMRC approach and adopt a light-touch on enforcement at least for a short time. Give us all a chance!
Thanks