By Simon Clayton, chief ideas officer and GDPR practitioner, RefTech. Follow us for a full series of expert GDPR blogs.
Unless you have been living under a rock, you’ll be aware of GDPR and have been subjected to several blogs and countless emails warning of the horrors it will bring when it becomes enforceable next May. Before you groan and say ‘not another blog about GDPR’ let me explain. This isn’t a blog trying to sell you anything, and reading this series of articles will not magically take the pain away. Instead, I hope that they will change your perception of GDPR and give you clarity of the task ahead.
GDPR is complicated and in some ways, confusing. It is legislation made up of 99 articles and 173 recitals and much of the wording is currently subjective and vague. This means a lot of commentators are getting key facts wrong because so much of the wording is contradictory and open to interpretation.
I have already invested months of my time in learning and understanding GDPR and the separate articles it contains. I’ve attended two training courses and after taking exams, I’m now a GDPR Certified Practitioner. I’ve given a series of GDPR masterclasses across the country and I’m going to be speaking about the subject at Confex next year.
Despite my best efforts, nobody knows everything about how the articles will be interpreted and how the regulations will translate into the real world. I have almost daily queries which I am referring to the ICO, and at this stage even they don’t know all the answers, which is at least partly because they haven’t released their full guidance on how to interpret the regulations yet – we expect that early next year.
I believe that GDPR is much more suited to the online world, but it does apply to the real world too – even if some of its clauses aren’t brilliant when applied to real world scenarios. For example, Article 13 states that whenever personal data is collected directly from the data subject, you must tell the data subject everything about how you’re going to use their data including (but not limited to) :-
- who the data controller is
- the purposes of processing and the legal basis for processing
- recipients or categories of recipients of the personal data
- the period for which the personal data will be stored
Don’t get me wrong – I believe that GDPR is generally a good thing but this is a journey where we are currently in the dark and feeling our way to some extent. The ICO releasing more detailed guidance next year will help, but it’s likely to leave a lot of other questions unanswered until we start seeing the results of investigations with the decisions of the ICO.
Becoming GDPR compliant isn’t about ticking boxes or investing in a new piece of software that will do everything for you, and despite the scary headlines, it isn’t just about avoiding huge fines. The ICO isn’t generally interested in dishing out huge fines as punishment; in her blog, Elizabeth Denham, the information commissioner, highlighted their track record and pointed out that the ICO investigated 17,300 cases last year (2016/17) and just 16 of them resulted in fines because the ICO would rather encourage responsible stewardship of data than punishing organisations with fines.
GDPR is our once in a lifetime opportunity to do the right thing; for organisations to review how they collect, store and use personal data because they have a responsibly to the people whose data they use. GDPR is forcing us to treat people’s personal data transparently, fairly and with respect and to be aware of how great a responsibility that is.
Start your journey by downloading our free white paper ‘Get ready for GDPR: Your events management strategy’. The paper gives you clear explanations and a framework of questions to ask to enable you to create your own GDPR strategy: https://www.eventreference.com/gdpr
The paper is free to download and it’s not a crafty data collection exercise so you don’t even have to leave your email address. It is just our way of helping our industry take the steps it needs to become more responsible.
Once you have downloaded the white paper, tune in to my blog each week on the CN website. I’m researching and refining how GDPR should be interpreted by our industry, and I’ll be discussing best practice and sharing my learnings with you.