I'm always tickled by the conclusion of the reports that cite lack of awareness. For example, the government reckons only half of the country's companies have heard of GDPR -- so if you follow that through, by the time Bank Holiday Monday arrives at the end of May, half of the country's businesses will be line for a fine of 4% of global revenue or €20m. Can't really see it happening, can you?
Are companies sleepwalking into an abyss of fines and losing their brand image? Or do marketers sometimes over-egg their proverbial pudding? I mean, if you're compliant with the Data Protection Act, you're pretty covered for the GDPR when it comes to individual rights, aren't you?
That has been my "don't panic" mantra for a while, so I thought I'd check out the ICO's lists for citizens' rights under the Data Protection Act and GDPR.
Here goes.
List A.
List B
Can you guess which one is which? OK -- so the biggest difference I have spotted is a move from bulleted points to numbers. But if you want to know which is which, A is DPA and B is GDPR.
So data portability is a completely new right? I'll concede that point. The right of erasure looks new, but was there all along with the caveat of "in certain circumstances."
Everything else is just a different way of saying the same thing. OK, it might be more direct under GDPR and a few less "in certain circumstances," but take a look at the lists and tell me what has truly changed, other than data portability.
This is why it's so important to go to the original source. Yes -- individual rights have probably been slightly strengthened, but these rights were there all along.
I'm not saying there isn't a compliance challenge with GDPR, but what I am most definitely saying is that it's not the end of the world, as some commentators would have you think.
Take a look at those lists and ask yourself if the new regime is really all that different from the old.