The Law Society has published a checklist for firms in the latest instalment of advice on compliance with a new data protection regime coming into force in 24 working days. However, Society data protection experts joined a senior figure from the Information Commissioner’s Office (ICO) last week in warning firms not to expect or to rely on boilerplate policies for complying with the General Data Protection Regulation (GDPR).
‘Following a template is not necessarily going to guarantee that you are going to meet the requirements,’ Richard Nevinson, policy and engagement manager at the ICO, told a Chancery Lane conference. Nevinson stressed that the regulation, which replaces the 1998 Data Protection Act, is ‘principles-based’ legislation, ‘with not necessarily a right or wrong answer’.
‘Even as the regulator we won’t have all the answers on day one,’ Nevinson said. Consistent guidance would have to emerge from the so-called Article 29 working party of European data protection authorities. A new Data Protection Bill, which will implement the regulation in domestic law along with safeguards such as a derogation for legal professional privilege, still awaits a date for its report stage in the Commons.
The new regime introduces several new obligations, including time limits for notifying the ICO and the data subject of serious breaches. Notoriously, it increases the authorities’ fining powers to a maximum of €20m or 4% of turnover. However, Nevinson assured delegates that he did not expect to be levying such fines. ‘If a breach warranted a fine of £30,000 under the Data Protection Act it probably warrants a similar fine under GDPR,’ he said.
Opening the conference, Paul Tennant, interim chief executive of the Law Society, said firms should welcome the stimulation that the regulation has created to review and update information management systems and controls. ’The 25th of May is not a cliff edge but the start of a journey,’ he added.