After a series of setbacks, from Dunkirk to Singapore, wartime prime minister Winston Churchill finally had good news for the British people when Field Marshal Montgomery achieved a rout of Rommel’s troops at El-Alamein.
Churchill famously said, “Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning”.
And so it is with the new GDPR provisions, which became applicable and enforceable on May 25 2018.
Transatlantic corporate law firm Womble Bond Dickinson, with a powerful reputation in intellectual property and compliance, offers a common-sense approach in terms of what the new era will entail.
The first thing to bear in mind is: there is no need to panic.
Some companies will have, of course, with headlines warning of possible sanctions for breaches. You’ll know about the penalty of €20 million or 4% of an organisation’s annual turnover internationally, “whichever is the higher”.
Provisions also allow for what are termed “stop now” orders, giving regulators the powers to force a non-compliant business into ceasing trading.
It’s important to recognise, though, that these headlines are focusing on the “Doomsday scenario”. In fact, UK regulator the Information Commissioner’s Office (ICO) has stressed that it only envisages resorting to such measures in the most extreme of cases.
Womble Bond Dickinson points out that the ICO is seeking “intelligent engagement” with the new provisions. In its view, the ICO takes the stance that “genuine and reasoned” efforts to comply would result in far lower penalties.
Put another way, the ICO’s goal is not to punish companies but to aid and support them in moving towards compliance with the new regime protecting data.
In keeping with that spirit of fairness, one under-reported element of the new guidance concerns the “consistency mechanism”. This is a requirement of the GDPR rules that means regulators across the EU and EEA must interpret and apply the law both clearly and consistently.
Under the old regime, there was a range of varying interpretations and applications. The new system is intended to be universal. The consistency mechanism means that, necessarily and realistically, what the GDPR laws require will be an evolutionary process.
By way of example, the law firm points to GDPR’s territorial scope provisions in Article 3, which are concerned with regulation of non-EU bodies: “GDPR compliance cannot be seen as a fixed or static exercise,” it concludes. “It will, necessarily, be an ongoing and risk-based process.”
Or, in other words, we are at “the end of the beginning”; the final destination is still some way off.