Remember the Y2K bug? The months of news stories, the panic that no one was prepared, the number of consultants and companies offering help/services and the number of conferences on the subject.

Fast forward 18 years and we’re facing another acronym that companies are now realising is pretty close, GDPR.

I hope a reminder of what GDPR is comes as little surprise to anyone.

The General Data Protection Regulation (GDPR) will take effect in the UK from 25 May 2018. It replaces the existing law on data protection (the Data Protection Act 1998) and gives individuals more rights and protection in how their personal data is used by organisations.

I can’t say I am personally an expert in the law, but I’ve found myself involved to varying degrees in a number of organisations from work in a law firm to being on a school governing body. It’s something that will affect pretty much every organisation. There are plenty of guides out there on the web, some that are specifically targeted to certain areas (for example schools, churches etc) and simply the more data you have and process the more complex things will become.

But though a reminder is worthwhile my worry with GDPR is not that we won’t all be ready, but that we don’t understand it enough. I can see GDPR becoming the new “Health and Safety”, we understand it enough to be worried but not enough to argue why something can/can’t be done in it’s name. We’ve already seen stories recently on records being deleted in the name of “data protection” in the windrush scandal in the UK, with GDPR in place how many organisations are going to err on the side of caution and erase data? There was an article written in this weeks The Spectator on this very subject, so it’s not just me! I mean if you don’t legally need to keep the info won’t it be easier to respond in the time limit for data requests by being able to say “we have nothing” or worry about breaches by having nothing to breach?

I’m not necessarily suggesting the law is over the top. I think what it aims to address is valid, especially give some companies lack of care of other peoples data. But equally we all need to ensure we understand the law enough to not be over zealous. Some recommendations I’ve seen suggested have been totally over the top, suggesting dedicated email services for volunteers, totally moving data to private emails into controlled cloud storage or mandated email encryption (this is regardless of the content).

So if we all take a bit of time to understand it a bit more, explain it to our friends and family then maybe we can just arm everyone with enough information to avoid “health and safety regulations gone mad” stories becoming “Data protection gone mad” (though I’m going to predict the Daily Mail with such a story by the end of the year!!)

UPDATE

I saw this letter posted today (14th May 2018) and thought it was worth adding to this post. There’s going to be a whole lot of “misunderstanding” soon!