The regulation puts individuals firmly back in charge of their personal information and what happens to it. It will fundamentally affect any organisation that stores, processes or handles the personal data of EU citizens – irrespective of that organisation’s size or where in the world it’s based.
From sole traders working at home to giant multinational corporations, no one (except law enforcement and intelligence agencies) is exempt. But how well-prepared is the UK?
The regulation is the most far-reaching change to data protection in a generation.
It places significant new strictures upon organisations, including having to build privacy into systems by design (and switched on by default); conduct regular privacy impact assessments; implement stronger consent mechanisms (particularly when processing data pertaining to minors); follow stricter procedures for reporting data breaches; and document any use of personal data in far more detail than previously. Organisations failing to comply could face fines of up to €20m or 4% of annual turnover (whichever is greater).
UK firms unprepared for GDPR
There’s little reliable data on UK firms’ level of preparedness for GDPR, but anecdotal evidence suggests it’s nowhere near where it should be, with lack of awareness particularly acute among smaller businesses.
Hazel Grant, a partner specialising in data protection issues at European law firm Fieldfisher, says: “We see a wide spectrum of levels of compliance. If an organisation has been following not only the law but also best practice over the years, GDPR will be less of a shock to the system.
“However, a lot of organisations haven’t really dealt with data protection to date because the risks have been relatively low. Fines have tended to be imposed only for significant data breaches, not for things like failing to do what you say in your privacy notices or not responding to requests as promptly as you’re meant to.
“I couldn’t venture a percentage, but I suspect a huge proportion of UK business is not ready. And if they’re not already complying with data protection law, they’re certainly nowhere near where they need to be.”
Chris Weston, a leading CIO turned independent digital technology adviser, has recently been working mainly with small and medium-sized enterprises (SMEs) in business-to-business sectors.
He says among this type of organisation, levels of GDPR awareness, let alone compliance, is woefully low. “Most of the companies I speak to are compliant with the Data Protection Act (DPA), but it comes as a shock when they learn they’re going to have to address data protection issues again in a way that significantly affects not just their technology but their business processes,” says Weston.
Greater awareness essential
While he says IT professionals, particularly those in larger companies, seem to be on top of the issue, Weston believes there needs to be a concerted effort to raise GDPR awareness among the general business community, and especially SMEs. “It’s urgent. I think we should be seeing a campaign of a similar scale to Y2K,” he says.
The reason we’re not, he says, is that the Information Commissioner’s Office (ICO) – which will be responsible for enforcing the GDPR in the UK – simply doesn’t have the resources to mount an awareness campaign of the size and scope needed. “It already seems to be doing a great deal with not very much money, but the government and others should be doing more,” says Weston.
Security expert Brian Honan, who has long advised organisations on data protection issues, agrees that more effort is needed to raise awareness of GDPR requirements.
“Although the ICO has a lot of good material on its website, there’s a lack of education from the government, and that vacuum is being filled by messages that aren’t always particularly helpful,” he says.
“In many ways, GDPR in 2017 is what Y2K was in 1999 – not just in terms of urgency and scope, but also in the way everybody is claiming to be GDPR experts overnight, trying to sell technical solutions to what are actually strategic business issues. There’s a lot of scaremongering and FUD [fear, uncertainty and doubt] from IT and consulting firms, talking up the €20m fine and implying it can be avoided if you buy their solution.”
Honan adds that the EU General Data Protection Regulation is not primarily an IT project. “It’s a business project. IT can help implement controls and systems to protect privacy and ensure the security of data, but there are business processes that need to be put in place regarding subject access requests, ensuring privacy by design in all systems and services, privacy impact assessments, and so on. Businesses have to understand this can’t just be left to the CIO or IT director,” he says.
Brexit offers no GDPR get-out
Honan is also concerned that a number of the smaller businesses he’s spoken to believe Brexit means they no longer have to worry about the regulation. This seems to be confirmed by a recent survey conducted by Crown Records Management, which suggested a quarter of UK businesses had cancelled GDPR preparation following the vote to leave the EU.
CIO view: SThree’s Lance Fisher has confidence in the firm’s compliance strategy
Recruitment company SThree started preparing for the European Union’s General Data Protection Regulation (GDPR) in earnest 18 months ago, and CIO Lance Fisher is confident the company will be compliant.
“We’ve brought all the people responsible for areas touched by GDPR – such as cyber security, insurance, data protection and so on – under a single group which I head up,” he says.
“We’ve studied ICO guidance, brought in consultants and audited ourselves. We’ve automated core processes such as giving people the ability to opt in or be forgotten, verified our key technology partners are compliant and have even helped some smaller partners get up to speed.”
But there are still uncertainties. “For example, we don’t yet know how many subject access requests to expect. We’re also having to rethink how we market to candidates. Mass mail-outs will no longer be viable, and even targeting people via LinkedIn may fall foul of the legislation. LinkedIn claims it’s compliant, but that could be challenged once the legislation is in force,” says Fisher.
He also believes we could see an army of ambulance-chasing insurers emerge (as with PPI), helping individuals challenge companies on GDPR failings in a bid to earn a percentage of any compensation won.
Fisher says the best advice he can give to CIOs not yet up to speed with GDPR is to accept they no longer own people’s data. “We used to take the view it was ours, but you must now accept it’s theirs. Since that realisation hit us, it’s helped keep us on the right course,” he says.
In fact, Brexit is likely to make little difference to the need for GDPR compliance among UK organisations. The UK will be a full EU member for at least 10 months following its introduction so therefore firms still need to be fully compliant by the deadline.
In addition, the legislation is likely to be adopted wholesale when we leave. Even if it’s not, any company with EU-based customers will have to remain fully compliant.
As Fieldfisher’s Grant notes: “Post-Brexit, the UK will still want the rest of the world to consider it has an adequate data protection regime. It will be far easier for us to do that if we implement the GDPR as originally drafted and don’t relax any of its provisions.”
Compliance as a business differentiator
Rather than viewing the General Data Protection Regulation as another compliance burden, smart organisations should see it as an opportunity. First, people are increasingly likely to choose businesses that can show they take their customers’ data privacy seriously.
And as Chris Weston points out: “Businesses that look at their data model, understand where that data is and put measures in place to find and manage information more effectively to comply with GDPR will reap significant benefits and value in terms of being able to process that data more efficiently in their day-to-day business.”
A summary of the Information Commissioner’s Office’s 12-point GDPR checklist
A summary of the Information Commissioner’s Office’s 12-point GDPR checklist
- Ensure senior/key people are aware of GDPR and appreciate its impact.
- Document any personal data you hold, where it came from and who you share it with. Conduct an information audit if needed.
- Review your privacy notices and plan for necessary changes before GDPR comes into force.
- Check your procedures cover all individuals’ rights under the legislation – for example, how you would delete personal data or provide data electronically in a commonly used format.
- Plan how you will handle subject access requests within the new timescales and provide any additional information.
- Identify and document your legal basis for the various types of personal data processing you do.
- Review how you seek, obtain and record consent. Do you need to make any changes?
- Put systems in place to verify individuals’ ages and, if users are children (likely to be defined in the UK as those under 13), gather parental consent for data processing activity.
- Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Adopt a “privacy by design” and “data minimisation” approach, as part of which you’ll need to understand how and when to implement Privacy Impact Assessments.
- Designate a Data Protection Officer or someone responsible for data protection compliance; assess where this role will sit within in your organisation’s structure/governance arrangements.
- If you operate internationally, determine which data protection supervisory authority you come under.
For more detail on each of these 12 steps, refer to the ICO guidelines here