With little over a year left before the European Union’s (EU’s) General Data Protection Regulation (GDPR) becomes law, preparations should be at the top of any IT leader’s agenda.
Making sure your organisation is compliant is essential, but not an easy feat. The regulation, which includes mandatory data breach notifications, as well as eye-watering penalties for non-compliance, means making sure your organisation is compliant is essential, but not an easy feat.
At the latest Computer Weekly CW500 event, GDPR experts shared their knowledge and advice on what the regulation will mean for businesses and how to prepare.
Despite Brexit looming, the UK has committed to implementing the GDPR by 25 May 2018, leaving organisations with around 14 months to make sure they are compliant.
If you aren’t yet sufficiently worried about GDPR yet, you better start now, said Chiara Rustici, an independent GDPR analyst.
“You have to own this from the start, don’t let it hit you when it’s too late,” she said, adding that her biggest piece of advice is to “be in the room from the start” as every choice that’s made around GDPR affects the IT architecture.
“Never let a legal decision be made about the business without you in the room. Please take that seriously,” she said.
Her second message is that GDPR is not an IT governance issue. “If you take it that way, you have to do everything again,” she added.
According to Rustici, it’s a three variable equation. First, you have to understand the business monetsation rules for personal data. “Do we want to own it because we want to sell it or because we want to license it? Do we need it to optimise our processes, or do we just want to do profiling because we then sell products on the basis of profiling? You need to understand that it is a variable and you need to work out the dependencies,” she said.
The second variable is legal choices. While the regulation doesn’t tell you there’s one specific way of doing things, some choices “have certain effects on what automatic rights the consumer has”.
“Every legal choice that’s made up-front at the start of a journey has an effect on the IT architecture,” said Rustici, which means you need to figure out what the best data infrastructure is as an IT leader.
“You have to model the equation so you can feedback the cost to the board. If one legal choice has such a big effect on the IT infrastructure that it makes the product no longer profitable, the board gets a no and you need to have that dollar amount of the impact that one legal and business choice has on the IT architecture. Nobody else can do that in the business,” she said.
“You’re not there to tell your legal team what to do, you’re not there to tell the business what to do, but you’re there to show them the dependencies and how much it costs,” she said.
Like changing a tire on a speeding truck
Getting to grips with the regulation is key, particularly if you’re a global business, according to Monica Cardoso Salgado, senior manager for data privacy and governance at the John Lewis Partnership.
Key questions you have to answer, she said, are around what data GDPR covers. The regulation does not only cover organisations located in the EU, but the use of personal data about EU citizens by anyone in the world.
If your organisation stores information about an EU citizen, you need to comply, regardless of local laws, or you risk being prevented from trading with the EU.
“Does it cover the data of my EU customers and EU clients? Does it cover the data the EU citizens that I’ve recruited to work with me in Mexico? Does it cover the data when my Mexican workers are travelling to the EU who use my human resources management tool outside of Mexico?” said Salgado.
“The output that you can get out of this discussion is infinite, so the extra-territoriality in itself is something massive that needs to be tackled head-on from a strategic standpoint.
“It’s very easy to go into rabbit holes of discussions that you’re analysing every particular set of data, but it’s more relevant to get a strategic decision about that form the get go,” she said.
The regulation, she added, encompasses every part of the business and therefore adds another issue – the change of mentality.
“We don’t own the data, we have it on loan. So the idea that we don’t own data is in itself a change in mentality,” she said.
“How do we put individuals and data first in a world that is evolving with the speed that is unprecedented in terms of data processing, data collection and data management? Where what is common and usual in a year’s time, we haven’t even thought about yet? How do you change a tire on a speeding truck?”
The role of the ICO
However, while it’s a complex issue and one that rightly should be on everyone’s agenda, it is important to place the GDPR into context.
Technology lawyer Dai Davis from Percy, Crow, Davis & Co said while GDPR is an enormous change, with “a hundred times more obligations you have to think about”, the Information Commissioner Office’s (ICO’s) budget hasn’t increased.
The amount of money information commissioner Elizabeth Denham has to spend on policing GDPR compliance has not “in any way, shape or form increased with the amounts of potential wrongs she has to police,” according to Davis.
“I’m not saying you can ignore the legislation. However, you have to put it into the context of what you can practically do to comply,” he added.
According to the legislation, a company in breach may be liable for a large fine of up to €20m or 4% of annual worldwide turnover, whichever is larger.
Davis said the reality is that large international companies would probably get away with extraterritorial breaches, despite GDPR being very clear on this. If a company such as Google or Twitter is caught, for instance, is the ICO likely to police it?
“How many assets does Twitter have in the UK or the EU? How can [the ICO] possibly enforce any judgment against Twitter?” asked Davis.
However, Rustici said while she doesn’t envision the ICO flying over to the US to do “dawn raids” on Twitter headquarters, for example, the regulation does have implications even for large companies. Not only does she expect class action-style law suits to grow, but the market itself will act as a regulator.
“In many ways, it’s true that the regulator can only do so much and the consumer will be more powerful, but the real clinch and sledge hammer for enforcement is the market,” she said.
Dealing with suppliers and outsourcing
Under GDPR, as a company holding personal data on an individual, you as a data controller are liable for any breaches relating to that data. This means it’s your responsibility to ensure that any datacentre or cloud provider you use is adhering to the regulation.
“Essentially, the controller has an obligation to only do business with processors that demonstrate they’re GDPR compliant, which effectively puts the controller in the position where it has to demonstrate compliance to do business,” said Rustici.
“You’re only as GDPR compliant as the weakest link in your supply chain,” she added.
While she expects that seals of trust will become the norm in the future, the best you can currently do as a processor is to demonstrate GDPR compliance across the board.
Under the regulation, you have to inform the ICO in 72 hours if you have a data breach. While a supplier or a processor of the data you hold has to assist you in finding out about the data breach, it’s the responsibility of the controller to report it.
Davis said the existing regulation, which was originally written in 1991 by the European Union commissioners, stems from a time when there was less outsourcing, meaning that the GDPR makes it easier.
However, he added: “There are some circumstances in which you can rely on the safeness of compliance from compliance outsourcers, which just didn’t exist in the old legislation to a real degree, but there are still issues of non-compliant circumstances.”
From a supplier’s perspective, he said, the legislation can be used to an advantage. “Looking at the question of justification in the legislation, you have to justify GDPR compliance – you can do that through a supplier. A clever supplier can come on and say, ‘this system is GDPR compliant’, and we’re going to use that external third-party compliance as part of the law.”
Automated decision making and the issue of consent
The GDPR strengthens the rights and the rules around obtaining consent to gather and use personal data.
The ICO has produced Preparing for the GDPR: 12 steps to take now to give organisations a list of the key issues they need to address in their preparations, but for organisations – some of which may have never have had to deal with the issue of data protection legislation – it can be somewhat of a minefield.
By May 2018, businesses will be required to make it easy for individuals to exercise the right of subject access to their data, the right to object to direct marketing and profiling, and to move their data from one supplier to another.
Ideally, individuals should have self-access to the data you keep on them, such as a dashboard where an individual can look up what data the company has about them and what data is transferred to third parties. However, this only applies to raw data.
Another worry is around automated processing – something insurance companies in particular have been very concerned with.
However, they do not need to worry as much as they have. There is no outright ban on automated decision making, said Rustici.
“[The GDPR] is not saying you cannot do automated decision making, it’s saying there has to be a human element at some point. Whether that means you have a blended automated algorithmic decision making mixed with human, or whether that means you have an appeal system whereby a consumer can say ‘you made this decision about my right to have an insurance policy, I want to contest it’, the choice is yours,” she said.
Read more about GDPR
- Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017.
- The Information Commissioner’s Office (ICO) has set out its plans for publishing guidance on the EU General Data Protection Regulation (GDPR).
- The Information Commissioner’s Office is to publish a revised timeline for the UK implementing the EU’s General Data Protection Regulation after Brexit.