GDPR Myth #6: No one will know if I don’t comply with GDPR

Mar 09, 2018 GDPR News GDPR

It’s not true. If you do absolutely nothing to prepare for GDPR, take 25 May off, put your out-of-office on and don’t pay any attention to anything related or connected to GDPR, you’ll be found out pretty quickly.

What happens if I don’t comply with GDPR?
First of all, people will know you aren’t complying because your privacy notices will not be GDPR compliant. They must identify the legal basis for processing data, and if that’s consent, then the consent being taken must comply with GDPR rules.

GDPR consent rules are a lot more specific than previous ways to collect consent, so much so that consent which does not meet GDPR requirements will not be valid after 25 May and you’ll be in breach of GDPR if you rely on it.

Responding to Subject Access Requests – no more £10 fee
Another way you could get found out is when people start making Subject Access Requests. Under GDPR, these are free and must be completed within one month. So as soon as one of your staff send out that standard reply to receiving a SAR that they can’t process it till the £10 fee has been paid, you’ll be breaching GDPR.

If you decide to just pretend to comply, by updating your privacy notices, identifying the legal basis for processing, refreshing consent and informing people of their rights to access their data, you’re halfway there and might as well just go the rest of the way by sorting out your back-end operations to become GDPR compliant.

It is true that you might only be found out if something goes wrong; if there’s a data breach or someone makes a complaint. This is where the sanctions from the supervisory authority come in. They have been set at such a high level, 4% of global turnover or €20m, not to scare those who are trying their best but to punish the rogue businesses who just don’t want to bother.

Let’s face it, there are many unscrupulous companies out there who make money by abusing people’s data, and write-off fines and sanctions as just the cost of doing business. GDPR is designed to tackle those kinds of data abuses, not the honest mistakes of organisations who are doing their best.

Even if you can’t get everything ready on day one, write a plan. Include milestones and realistic dates. Be ready to show the regulator how you are trying to comply with GDPR and all the steps you are taking to do so, even if it’s not all finished yet. No one can expect perfect compliance from the very next day, but doing absolutely nothing is just not an option.