As the clock ticks down to GDPR implementation, every company in every industry will be studiously inspecting the laws and regulations to see how it applies to them. But across the board it seems that there's widespread confusion as to what it covers. Does it cover existing data? How does it affect boilerplate contracts? And now the latest - is it in force already?
According to a number of Legal and Security specialists, the GDPR technically came into force 20 days after publication in the Official Journal of the European Union. This occurred on 4th May 2016. But the fines themselves will not apply until next year.
Nevertheless, a data breach now, could incur a retrospective punishment once those fines come into law next year. An undiscovered breach, or a breach that isn't resolved by next year, could be exposed to the higher penalties.
But the ICO themselves seem clear that the Data Protection Act is still the legislation that carries weight in the UK.
Confused? Well, the clear message here, is get prepared - make sure your data is clean, start putting opt-in principles in place and seek legal advice relevant to your business to ensure you are in the best possible position well before May 2018.
"Actually GDPR is in force now, but what's not in place yet is the penalties," said Kenyon. "So if there's a breach now, the ICO could hold on to it and give you the penalties in May 2018," she suggested.