On Friday (16 March) we had a very valuable CCNet meeting at Abbott Lodge Ice Cream Farm. And not valuable only because of the quality of the ice cream (excellent though that was). But the real value lay in the opportunity to be taken systematically through the implications of the new General Data Protection Regulations by Mark Wightman (of Aethos Consulting).
Mark started by some myth-busting. For example, people who claim that they can (for a fee) make you GDPR-compliant are probably overstating their case. The regulations are full of words like ‘proportionate’ and ‘reasonable.’ What that means in practice is that until there have been a few court cases and the judiciary have decided what is proportionate and/or reasonable, we won’t know.
On the other hand, that also means that small businesses, such as those represented at the meeting, will not be held to the same standard as, say Google or HSBC or PWC.
As long as we take a reasonable and proportionate approach, then even if we get something wrong and someone complains, the regulator is more likely to say we should change our policy or practice, than to land us with a large fine.
Mark then took us through the essentials: understanding what personal data is; what principles underpin the regulations, and what sequence of steps we should take to develop appropriate and proportionate policies and practices.
All those who attended found it a very useful, and surprisingly (!) interesting morning, and we are most grateful to Mark for sharing his expertise with us.