Compliance with the European Union’s (EU’s) General Data Protection Regulation (GDPR) is set to be enforced in a year’s time on 25 May 2018, and the consequences for non-compliance could be steep with fines of up to €20m or 4% of global turnover, whichever is greater.
The race is on for many UK organisations to ensure they are compliant by the deadline. The government has made it clear that the UK will implement the GDPR fully and that future UK data protection legislation will mirror the GDPR to ensure uninterrupted data flows.
However, a survey by software firm Compuware indicates that while 38% of 400 CIOs worldwide have comprehensive plans for GDPR compliance, only 19% of CIOs polled in the UK said they have comprehensive plans in place, which marks only a marginal improvement from 18% in 2016.
Identifying the areas of most concern, 56% of all respondents said data complexity and ensuring data quality are the two biggest hurdles they will need to overcome to achieve GDPR compliance.
In addition, 75% of organisations said the complexity of modern IT services means they cannot always know where all customer data resides, while just over half (53%) said they could locate all of an individual’s data quickly, as will be required to comply with the GDPR’s “right to be forgotten” mandate.
Nearly a third (31%) admitted that, at present, they couldn’t guarantee they would be able to find all of a customer’s data.
“It’s worrying that, with only a year to go, many organisations still have a lot to do,” says Mark Thompson, global privacy advisory lead at KPMG.
“The truth is that many just don’t understand what they have to do and how to deal with it. The unknowns around Brexit have also posed some uncertainty on what GDPR will mean to the UK post-Brexit.
“When it comes to Brexit, it is critical to understand that if the UK is going to continue to trade with the EU, the free flow of personal information must be maintained. As such, we have to have an adequate privacy ecosystem in operation in the UK which is aligned to the requirements of the GDPR,” he says.
GDPR compliance needed even in overlooked sectors
While the most proactive companies are at least a year into planning to be compliant, others are not as advanced as they might be and some are only in the preliminary or initial stages.
The companies that most obviously need to be looking at GDPR are those that deal with vast volumes of personal data, which tend to be larger organisations in the finance, health and retail sectors, but there are smaller organisations in less obvious sectors such as media and manufacturing that could be overlooked.
Other types of organisations that could be overlooked include those that are hosting data on behalf of other organisations. These are likely to come under increasing pressure from their clients as they need to understand how these host organisations are handling their data to ensure GDPR compliance.
The reality is that so many organisations, even smaller ones, collect personal data for a variety of uses, so just about every organisation needs to analyse carefully what data they are collecting and how they are using it because they may need to comply with the GDPR without realising it.
Ready, on your marks, GDPR
Some commentators have suggested that organisations that have failed to take any action to date have left it too late, while others say a year may be just about enough time, but there is not a moment to lose.
Among those who believe there is too much emphasis on the 25 May 2018 deadline is Peter Gooch, cyber risk partner at Deloitte.
“This is not a race to the deadline and then it’s all over. Once enforcements starts, guidelines will continue to be issued and good practice will start to develop. It shouldn’t be a conversation about how an organisation is going to get over a line by May 2018,” he says.
“It should be about getting to a reasonable place by May 2018, and continuing to improve after that – continue to monitor the guidance that comes out, the precedents and the public opinion. That is as important as the deadline,” says Gooch.
“Everyone needs to realise that all activity will not come to a halt after May 2018. This is something that has to live and breathe in organisations almost as a new function or with at least a heightened level of awareness around it,” he says.
That said, Gooch believes that any big organisation that has not done anything about becoming GDPR compliant will have a “tough time” in the next year.
“Resources will be scarce to help with this kind of activity. If the business is complex, there is quite a lot of foundational work that will have to go into determining what the organisation’s position is and what the gaps are, especially if not a lot has been done on proactive privacy work in the past.”
Proactive companies better positioned for GDPR
However, if an organisation already has a robust regime in place around privacy, Gooch says the likelihood is that they will be on top of this anyway and will not be starting to think about it only now.
“That doesn’t mean there won’t be any last minute rushes about what to do and what not to do. But there is very little that is new in the GDPR, so if an organisation has been focused on privacy before and has a framework in place that defines roles and responsibilities, the step up to GDPR won’t be that big,” he says.
Potential challenges for these proactive organisations will just be around the changes, which are mainly around consent, data erasure, data portability and data breach notification. It also includes the appointment of data protection officers for organisations whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.
“The biggest question we have from all our clients is about how far to go with GDPR compliance planning, how much effort to put into this, and where does the balance lie between what the regulators say is acceptable and what is not acceptable,” says Gooch.
At this stage, he says there is very little indication of how to determine this, but if an organisation has done nothing on the GDPR and nothing on privacy, it will be a “tough call” for a complex organisation to get to a reasonable state by the deadline.
For relatively simple organisations, however, even if they have not done much, Gooch says recognised good practice is emerging on how to tackle GDPR compliance, and so a year may be a “reasonable amount of time” to put in place the necessary processes, deliver some training around the GDPR and update policies.
“Less complex organisations are not necessarily in a bad place if they have not done anything about GDPR compliance yet, but they need to start doing something about it now,” he says.
Good data handling practices
Gooch says the imperative, however, should not be compliance with the GDPR but responding to consumer expectations around how businesses collect, use and protect their data and ensuring that their brand reputation is not lost through doing something consumers would not want to happen.
“People are becoming more savvy and aware about how their data is being used and what affect it can have on them through things such as differential pricing on products. Consumers are realising the privacy is about more than just confidentiality. It is about transparency regarding how their data is being used and putting them in control of what they are now recognising as a massive asset that they hold,” he says.
As a result, good data handling practices should be seen as a business enabler and opportunity, which is consistent with the view of the UK information commissioner Elizabeth Denham.
The GDPR will bring “a more 21st century approach” to how personal data is processed and that organisations should seize the opportunity to set out a culture of data confidence in the UK, she told the ICO’s annual Data Protection Practitioners’ Conference in Manchester in March 2017.
Gooch says some organisations are realising that if they are not building in the right privacy controls when they are designing processes, systems or products, that failure can have a negative impact on the business further on down the line.
“They understand that by taking care of privacy issues early on they will save themselves from the pain of regulatory scrutiny and sanction in future. It will be an enabler for the things they want to do – such as big data analytics, consumer profiling and targeted marketing – because it is being done in the right way that is consistent with the regulations,” he says.
Similarly, Gooch says using data in a transparent, privacy-friendly way could be seen as a competitive advantage.
Peter Gooch, Deloitte
“Right now, there are just a few organisations, such as the large social media companies, that are genuinely at that point, although there is a lot of talk among privacy practitioners about this as a concept and things are definitely shifting that way and will increasingly become a top priority risk for a wider set of organisations,” he says.
Organisations need to understand that, through greater transparency, they will be able to grow their customer base, collect more data and monetise it more. “In this way, organisations will be able to build their brand through trust because they deal with customers’ data in the correct way,” says Gooch.
He believes good data handling practices will become as important to consumers as fair pricing and good customer services. Companies in the technology and retail sectors are already using trust as a product differentiator by showing the customer data and privacy is important to them, and Gooch believes other sectors will follow.
GDPR compliance makes “commercial sense”
In early March 2017, Rosemary Jay, senior consultant attorney at legal firm Hunton & Williams, told the House of Lords EU Home Affairs Sub-Committee that compliance with the GDPR makes good commercial sense.
“We should look for the positives in the framework to look at what we can do in the right rather than trying to avoid the regulation, because it offers protection for individuals and a framework for business in a digital world,” she said.
Sue Daley, head of cloud, analytics, data and artificial intelligence (AI) at IT industry body TechUK, said the GDPR offers organisations an opportunity to develop a culture of trust and confidence
“This has to be led from the top and scaled throughout an organisation to ensure everyone understands what they are doing with data,” she told a roundtable discussion on the GDPR hosted by security firm Kaspersky Lab in London.
The GDPR is also an opportunity for organisations to not only review what data they hold and why, in terms of privacy and data protection, but also to look at how they can use data to innovate in terms of products and services, said Daley.
“This is an opportunity for businesses to engage with customers on privacy and data protection. By demonstrating compliance with the GDPR, businesses can use this for competitive advantage to drive loyalty,” she said.
Effect on cyber security landscape
Being able to offer assurances around the protection of personal data is key to building consumer trust, and compliance with the GDPR is beneficial. “There’s no question in my mind that complying with GDPR will make businesses more secure,” says Richard Stiennon, chief strategy officer at Blancco Technology Group.
“The core of all security is data protection. Doing a better of job protecting data throughout its lifecycle will enhance any organisation’s overall security posture. The GDPR’s requirements cover a multitude of areas, rather than just one single area, making organisations that comply that much stronger and less vulnerable to security threats, data loss, data breaches and regulatory fines,” he says.
Stiennon believes the GDPR will have a significant impact on the cyber security landscape. “Spending will increase dramatically as budgets are allocated to compliance. Network, endpoint and data security measures will be deployed where they have always been needed, but they’ll also be deployed where they’ve been lacking because a financial calculation based on risk alone did not justify it.
“One such area will be data erasure – the permanent and verifiable removal of data when the GDPR’s ‘right to be forgotten’ requirement demands it. In addition, there will be an impact on the managed security services industry as they roll out services around data security – and data erasure, in particular – and GDPR compliance,” he says.
While the emphasis is mainly on the May 2018 deadline and the fines, organisations are being encouraged to see the GDPR as an opportunity to get their houses in order in terms of security and privacy because it makes good business sense.
The Information Commissioner’s Office (ICO) is continually developing guidance aimed at supporting businesses not only in being compliant, but also in realising business benefit by growing consumer trust and enabling new data-driven business models.
Read more about GDPR
- Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017.
- The Information Commissioner’s Office sets out plans for publishing guidance on the EU General Data Protection Regulation (GDPR).
- The Information Commissioner’s Office is to publish a revised timeline for the UK implementing the EU’s General Data Protection Regulation after Brexit.
- Business demand for consumer identity management capability is growing to enable new business models and improve customer engagement.