The two-year countdown to new data protection rules coming into effect in Europe has begun, but organisations that waited until the starting gun was fired on 14 April 2016 may have left it too late.
While some organisations have been preparing for the GDPR over the past four years of political negotiations and lobbying, and have started to do detailed work on the issue, others put off the inevitable until the regulation was finally rubberstamped by the European Parliament.
In the UK, some organisations may also have delayed taking action until the outcome of the EU referendum was known, but legal experts say that the GDPR is likely to apply to UK firms even though the UK has voted to leave the EU.
Marking the milestone, EU justice commissioner Věra Jourová described the GDPR as “first-rate data protection rules providing for the world’s highest standard of protection”.
While this sounds positive, especially as the new rules are designed to be a key enabler for the digital single market, these words could be ominous for some.
“In practical terms, this means there are challenges ahead and that a lot of companies will have their work cut out to be compliant in time,” says Bridget Treacy, partner at law firm Hunton & Williams, “especially UK companies, which have been accustomed to a pragmatic, light-touch regulator, but are now going to have to comply to a higher standard, much more like that which has been operating in Germany, where, for example, organisations have been required to specify their legal basis for collecting and processing personal information.”
In the UK, there has not been that level of focus, Treacy says. The change in emphasis will bring considerable change in some organisations as they seek to ensure they are compliant.
Now that the countdown has officially begun, organisations that have not done so already have to start thinking in very pragmatic terms about what the GDPR means for their business and how they are going to handle their data assets. Two years is not much time, especially for those organisations starting from scratch.
Treacy says: “This legislation needs to be taken seriously because it strengthens individuals’ rights, tightens obligations for data controllers, imposes new obligations on data processors and gives the regulators very significant powers of enforcement.
“This set of issues goes up the corporate risk register to around where competition law issues are currently considered because of the magnitude of the fines. But the data issues are perhaps more fundamental in some ways because data permeates everything, and is likely to be the most valuable corporate asset. If you want to collect data and do anything with it, you have got to do it in accordance with the regulation.”
The final alarm bell has been sounded, agrees Stewart Room, cyber security and data protection partner at PwC.
“There are no more alarm bells after this. There is no more pretending. All organisations that have not started preparing now need to start taking this seriously,” he says. “Any organisation that has been waiting for the publication of the regulation before taking action is either being poorly advised or simply reckless.”
Nor is the UK’s potential exit from the EU an excuse for inaction.
“Brexit makes no difference to the UK’s obligation to do GDPR at all, but it is worrying that it could take time for UK organisations to understand that, and delay them even further in getting on with the work they have to do,” says Room.
GDPR and Brexit
While there are many elements of the UK's political and economic future that will appear uncertain, PwC is confident that the UK will need to meet the requirements of the GDPR.
According to a report by PwC, the UK supports the GDPR and is already giving effect to many of the GDPR’s requirements. “Considering these facts, a departure by the UK from its progression towards achieving compliance with the GDPR would appear very unlikely,” the report says.
The GDPR automatically comes into force on 25 May 2018, and the PwC report notes the UK will already be bound by the terms of the GDPR by the time it exits the EU. “This means that the ICO, UK courts and all affected entities will have already have put in place the requisite infrastructures to comply with the GDPR,” the report says.
PwC says the UK will technically be free to abandon the GDPR after leaving the EU, but the question arises as to why that option would be more attractive than retaining the GDPR. “Retaining the GDPR after exit would be in the UK’s interests, the interests of UK citizens and the interests of UK-based data controllers and data processors,” the report says.
The report points out that the UK will still deal with the EU after it leaves and will have to develop new “interaction models” to retain a relationship with the EU.
“However, before considering the various options that might be available, it is important to consider the territorial scope of the GDPR and all of the circumstances where it will still apply to the UK after an exit, regardless of the interaction model that is eventually agreed,” the report says.
After an exit, the report says that if a UK business offers any goods or services to EU residents, or engages in tracking internet use in the EU, the GDPR will apply and UK data protection law will have to be “adequate” according to the standards of the GDPR if UK entities want to continue to import personal data from the EU.
“Following the lessons arising from the recent safe harbour litigation concerning the export of EU personal data to the US, and in a climate where the UK’s voice is unlikely to be heard in the EU, it seems very likely that adopting the GDPR will be the simplest and most economically viable option for the UK to avoid any challenges to the adequacy of UK law,” the report says.
No more time
With just two years remaining before the GDPR is enforced, Room says that any organisation that has not made some progress towards complying with it has effectively run out of time.
“The GDPR has been years in the making and the key elements have been clear for years, so organisations should have been getting on with it and should be well advanced by now,” he says.
However, he adds that the reality is that many organisations have left it until the final call to start working on GDPR compliance, which means they are unlikely to be compliant by 2018 when the new rules come into force.
In part, this will be because there is a limited amount of resource in the marketplace to deal with these issues, Treacy says.
“Some organisations are going to have some quite serious thinking to do about the ways in which they collect and use personal data, and how they are going to comply with the regulation,” she says. “They will need experienced external advisers, but there are not that many people who have really deep experience in this space.”
Business has to step up
At the same time, Treacy says organisations need to be realistic. Even if they are able to tap into the resources they need, there is a limit to what external advisers can do.
“A lot of the detailed work actually has to be done within the organisation itself, and quite a lot of it has to be effected by the business,” she says.
“For this reason, you also can’t expect the data protection officer within an organisation to somehow wave a magic wand and sort this all out, especially as DPOs are typically not well resourced and often have other roles.”
Wise guy or fall guy?
With just two years to go, Room says organisations that have waited until the last moment will fall into one of two camps.
They will either be “wise guys” or “fall guys”, he says. The fall guys will carry on, unaware they have run out of time, simply chipping away at the compliance obligations, making some progress, but not a lot.
As a result, they will be exposed to the many legal, regulatory and reputational risks posed by the GDPR when it comes into force.
By contrast, the wise guys will act quickly to identify all the risks.
“They understand the need to predict and identify what will be the burning platform in two years’ time in the GDPR,” says Room.
“The wise guys will take a risk-based approach by doing whatever they can to tackle the greatest risks to ensure none becomes a burning platform.”
Risk different for every entity
The important thing to note, says Room, is that while compliance is the same for everyone, the risk of a burning platform is different for every single entity.
The best way to get to the to-do list, he says, is first to analyse the special characteristics of the organisation. These are the operating and environmental features that cause the entity to behave the way it does. They include things such as risk appetite, regulatory track record, and legal and organisational structures.
“An entity’s special characteristics in terms of its management structure, for example, might mean that it has a different strategy for data breach handling to another entity, which will change its risk profile,” says Room.
It is important for companies to look past a lot of the thought leadership on the GDPR because it is too high level to be of practical use, he says. He advises focusing instead on the risk in a particular business and how that can be addressed without delay.
Big entities and public authorities
However, Room says the entities that need to be worried about this are the ones that will typically have the resources they need to be a wise guy and not a fall guy. He believes that the regulator, at least initially, will focus on big entities and public authorities with the money and talent to get it right, and will take a hard line because they will have had since 2009 to do so.
Based on past experience with things like the Freedom of Information Act (FOIA), which came into force in the UK in January 2005, Room predicts that April 2018 will see a storm of requests to data controllers.
Just as the FOIA unleashed a million information requests in the UK on 1 January 2005, Room predicts that the GDPR will unleash a deluge of access, portability and right to be forgotten requests by privacy advocates, consumers and members of the media. That in turn will result in a whole lot of complaints to the regulator about data controllers’ failure to respond satisfactorily.
“In preparing for the GDPR, organisations should take a lesson from the FOIA and think about what the burning platform is likely to be, and act now to ensure that measures are in place to ensure that it doesn’t ignite in the first place,” he says.
Read more about the GDPR
- The GDPR is about enabling organisations to realise the benefits of the digital era, but it is serious about enforcement for those that do not play within the rules, says UK information commissioner.
- The staffing impact of the GDPR will be huge, with 28,000 data protection officers in Europe alone, says the International Association of Privacy Professionals.
- European firms are set to invest in data protection in 2016, with enforcement of the EU general data protection regulation just two years away, Computer Weekly’s IT priorities survey shows.
- Isolated legacy security systems are a big cyber security risk – but the EU general data protection regulation could change that, says Palo Alto Networks.
Actions of regulators
Another important guideline, says Room, is the current actions of regulators, who have been acting for some time as if the GDPR were already in effect.
He says: “For example, the UK’s information commissioner is already treating non-transparency after a data breach as an aggravating factor, so if you cast forward to 2018, the ICO will be able to append a massive fine on top of that, pointing out that it has been regulating on breach disclosure as if the GDPR were in effect since it was first formulated.”
In assessing specific risks for each organisation, Room says the key areas of focus should be on how they manage consent to gather data, how they prove compliance, how they ensure they are carrying out the right kind of risk assessment, and how they demonstrate privacy by design.
However, he cautions against focusing too much on compliance at the expense of doing what is necessary to mitigate each entity’s specific risks.
“The result will be that they end up being fined – not because they are not trying to be compliant, but because they are doing the wrong stuff, and not addressing the real risks,” he explains.
The way ahead
Looking ahead, Treacy believes guidance from the data protection authorities (DPAs) in the EU member states and the new European Data Protection Board will be critical.
“There is quite a lot in this regulation that will need to be interpreted,” she says. “It is going to be important that we see consistent interpretation across the DPAs, and that that is communicated in a sensible way to organisations.
“There also needs to be good dialogue and exchange of information between the regulators and organisations so that the guidance we get from regulators is founded on an understanding of how organsations are approaching key issues, rather than some theoretical viewpoint.”
As some companies head out of the starting blocks, potentially discovering they have lost the race before they have even started, other have recognised the significant impact that the GDPR will have on their business, especially those that are consumer-facing or conduct personal data profiling.
“They have been working on these issues for some time now, they have been lobbying hard, and they have started to think in quite detailed terms about what steps they are going to take to change their processes to accommodate what is in the new law,” says Treacy.
If anything at all is certain, it is that there is lots of work to be done for years to come around data protection as the world comes to grips with the game-changing legislation that is the GDPR.
Veritas adds GDPR compliance to its Data Insight 6.0 AI tool