Impact on compliance
The current Act is ‘light touch’ with little accountability and the Commissioner has no audit or fine powers. The Act created an expectation that businesses would comply with its requirements. Where issues arise, it is down to the individual, or the Information Commissioner, to identify non-compliance.
The GDPR inverts the current model.
Controllers and some processors will be required to:
- Record and evidence their compliance with the requirements and their obligations under the GDPR
- Regularly test and document their security measures
- Comply with enhanced rights of data subjects
Failure to do so will incur significant fines.
Impact and size of the task
Businesses need to start preparing NOW.
The impact and size of the task facing the Island’s controllers in meeting the standards required will depend, to a great extent, on how well they comply with the requirements of the current Act.
Controllers with an embedded culture of compliance and information security, that follow defined retention and destruction policies, train staff, and properly inform customers about the use of their personal data, will be unlikely to be significantly affected.
Controllers that have taken a ‘laissez-faire’ approach have work to do.
Although the current Act does not apply to processors, i.e. third party processing on behalf of a controller, this will change as the GDPR imposes certain obligations on data processors processing personal data.
This is a whole new area of compliance for processors and will require considerable action.
In addition, based on an average system and software life-cycle of 2-4 years, all businesses should consider compliance with the GDPR when undertaking any updates or new IT developments.