The new General Data Protection Regulations from the European Union are coming in May 2018. The reaction to this has been somewhat mixed, some saying that standardisation will be a good thing but with others saying that it will severely impact the way they will work in terms of marketing and fundraising. One thing that many will agree upon is that as well as many organisations being unprepared for the implementation of the new General Data Protection Regulations is that there is an awful lot of scaremongering.
One of the main avenues for this scaremongering has been amongst legal firms, some of them targeting the charity sector who could be severely impacted by the new regulations. It’s a subject that Mark Burnett, Treasurer and fundraising trainer for the Institute of Fundraising South East and London regions has spoken out against on the UK Fundraising website.
“There has been a lot of talk recently about the potential new and rather dramatic increase in monetary penalties under GDPR. Many legal firms are attempting to paralyse the charity sector with the terrifying notion that they might get a £20m fine for sending their donors unlawful communications. I honestly believe this won’t be the case: no one I have spoken to really believes the ICO will issue fines anywhere near this level.
“Of course we shall need to wait and see. Yes, you should be GDPR-compliant before the deadline, but remember, as long as you have made a start on compliance, can demonstrate the processes are in place and that you understand the fundamentals, the ICO will work with you, of this I’m sure.”
Stephen McCartney, Director of Information Governance and DPO at Royal Mail Group has also hit out at the scaremongering that he sees going on. In a recent Linkedin article, he said:
“It is time to put those law firms and consultancies that are spreading misinformation about GDPR on notice. I will make sure that my budget will not be spent on your services. Too often my colleagues who are not data protection specialists come back from an event or approach me about an email or linkedin post that is full of alarmist and misleading information about GDPR. I have to spend time I don’t have correcting this rubbish.”
Whilst it is clear that there have been some companies and organisations that have set out to scaremonger in an attempt to make money from the new General Data Protection Regulations, can companies really afford not to do everything in their power to comply with GDPR?
Just last month, the Irish Data Protection Commissioner was asked about her views on finding companies on non-compliance, and her views were clear.
“Yes. We have to be willing to. The legislature in Europe provided for fines up to that level because they believe in certain cases it may arise. Presumably, it would involve many users. But it’s absolutely the case that we will be imposing fines against big and small entities based on the issues that come across our desk and the areas of risk we identify. There’s nothing surer than this.”
Asked whether there will be any leeway under GDPR, she said no.
“No. There’s not going to be any amnesty or first or second chances. On the other hand, the GDPR does set out criteria when we go to look at the quantum of fine we might impose.”
That means whilst there may be scaremongering going on from certain sectors, it doesn’t take away the fact that organisations do and will face fines if they do not comply with GDPR in its entirety.