The Information Commissioner’s Office has warned organisations not to expect or to rely on boilerplate policies to comply with the General Data Protection Regulation.
Speaking at a conference organised by the Law Society, Richard Nevinson, Policy and Engagement Manager for the ICO, stressed that:
“Following a template is not necessarily going to guarantee that you are going to meet the requirements of GDPR”.
It was stressed that the new regulation, which replaces the 1998 Data Protection Act, is “principles based” legislation with “not necessarily a right or wrong answer”.
Nevinson admitted that even the ICO won’t have all the answers on day one (25 May 2018) as consistent guidance will still need to be developed by a working party of European data protection authorities (the so-called “Article 29 working party”). In addition, the Data Protection Bill implementing GDPR is still on its own journey through Parliament.
As we have stressed to our clients, GDPR is a journey, not a destination in its own right. The important thing is to get the journey started.