No Further Grace Period for GDPR Enforcement
With the deadline for compliance with the EU General Data Protection Regulation (GDPR) looming on May 25, 2018, the question has been arising as to whether there will be an additional grace period delaying enforcement from May 26th. At present, all indications suggest the answer is still no.
The Data Protection Authorities have for some time insisted that there would not be a GDPR grace period over and above what has already been in effect. When GDPR was adopted in 2016, enforcement and fines were delayed for two years so that organizations would have time to prepare. This delayed enforcement period gave companies what has in effect been a two year grace period before the fines started.
However, many businesses are still not ready for GDPR compliance and many countries haven’t yet passed enabling legislation to bring it into force within their country. Nevertheless, the major authorities have given no indication that they intend to further delay implementation. In fact, several have indicated the opposite.
John O’Dwyer, Deputy Commissioner of the Irish Data Protection Commissioner, denied that there would be a grace period in April 2018. However, O’Dwyer noted that there were several alternatives other than fines including requiring a company to bring itself into compliance or shutting down their data processing altogether.
Elizabeth Denham, head of the United Kingdom Information Commissioner’s Office (ICO), additionally said that there would be no further grace period. However, Denham has also downplayed the notion of a doomsday countdown for organizations in an April 2018 speech. She has instead emphasized that the ICO was not going to change their approach to enforcement and that hefty fines would be targeted at those that persistently, deliberately flout their obligations.
She is not the first person to deny a grace period after May 25th out of the ICO. Steve Wood, the Information Commissioner’s Office Head of International Strategy & Intelligence in the United Kingdom, denied that there would be a grace period as far back as March 2017.
How should businesses as a result proceed over the next month?
1. Document everything.
One of the core principles of GDPR is that organizations must be ready to demonstrate compliance with the GDPR. Under the accountability principle set forth in Article 5 and Article 30, organizations are expected to keep records about their data processing, decisions and compliance efforts so that they can demonstrate their efforts to comply with the law and the basis for their decisions.
2. Make a good faith effort for GDPR compliance.
Businesses still have an opportunity to put systems and processes in place to move toward compliance with key aspects of the GDPR. The DPAs are going to be looking to see whether companies have hired a data protection officer or DPO as a service (where required), done data protection impact assessments, started collecting informed consent or established another basis for lawful processing, and whether they are processing requests under the Data Subject Access Rights (right to access, correction, erasure and portability). Transparency can be increased through a layered privacy policy or just in time notices. Businesses that have delayed implementation may not have time to comply with every provision of the GDPR, but they can still make progress toward compliance with some of the key articles.
3. Put a plan in place for the remaining areas and commit the resources necessary to achieve it.
The DPAs will be looking to deliver the heaviest fines to organizations that are deliberately violating the law or have repeatedly violated the data privacy and protection regulations set out by GDPR. Organizations need to establish that they did not simply ignore the impending deadline. If the organization can not bring itself into compliance with every aspect of the law, then it needs to be able to show any regulators that inquire when it will be in full compliance with the law and what efforts it has taken in order to do so.
Discover the Benefits of Privacy Management Software with Clarip
The Clarip data privacy software and team are available to help improve privacy and trust at your organization. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If you are working towards GDPR compliance, try our modular GDPR software. Start with our automated GDPR data mapping software, enhance your privacy program with DPIA software, and meet ePrivacy requirements with the cookie consent manager.
If California Consumer Privacy Act compliance in 2020 is on your radar, ask us about our CCPA software. Improve efficiency of responses to data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with our consent software.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.
More Blog Posts on GDPR:
GDPR for Small Businesses Under 250 Employees
The 10 Key Requirements of the GDPR
Germany Demands More From Facebook on GDPR
GDPR Article 30: It’s all about the documentation
Security Requirements Under GDPR: More Than Meets the Eye