For the UK Information Commissioner’s Office (ICO), the EU’s General Data Protection Regulation (GDPR), which comes into force in May this year, creates an onus on companies to understand the risks they create for others, and to mitigate those risks.
According to the ICO, it is about moving away from seeing the law as a box-ticking exercise, and instead working on a framework to build a culture of privacy that pervades an entire organisation.
From speaking to IT suppliers and customers when advising on how to get ready for GDPR, it is clear there are a few areas of misunderstanding about the regulation.
GDPR obliges organisations to take another look at how they process personal data, such as their customer database.
Because GDPR is heavily linked with personal data, the word “data” often signals that this is some kind of IT issue. However, GDPR is a cultural change in terms of how companies process personal data throughout the organisation – where personal data is obtained from, how it is used, where it is stored, who it is passed to and how those parties use that data.
As a result, complying with GDPR will often be a team effort from different departments in the organisation. IT teams that feel it may be their responsibility to soldier on and deal with GDPR alone should be letting the whole organisation know about the regulation and explaining that it is not just an IT issue.
From an IT perspective, GDPR is definitely not just a case of an IT department investing in more IT equipment in order to tick the box for becoming GDPR compliant, regardless of what some suppliers may say about buying GDPR-compliant IT equipment.
At present, all types of organisations, and departments within those organisations (such as HR, IT and marketing), are taking advice on measures that they should be putting in place now in order to be ready for GDPR. It is mandatory for public sector bodies to have a data protection officer (DPO). Organisations other than public sector bodies could also be required to appoint a DPO if, for example, a core activity of their business involves regular and systematic monitoring of individuals on a large scale.
Read more about GDPR
The data protection officer, required for many organisations to be compliant with the EU's GDPR, will face challenges in the new role but could improve how data is handled.
Businesses should look beyond compliance with new data regulations to ensure that their business processes and models are in line with future requirements, advises a privacy innovation expert.
Conflict of interest
If an organisation decides it needs a DPO, the DPO cannot be its IT director. Why? Legal developments suggest that DPOs cannot have a conflict of interest, so if they are the IT director who is responsible for, say, managing data from an IT perspective, then that IT director cannot also be the data protection officer. Essentially, senior officers and mid-level managers such as an IT director, marketing director or operations director cannot be in a position where they are also appointed as a DPO and essentially check and sign off on their own work on GDPR compliance.
Although many news stories focus on hacking and GDPR breaches, GDPR is not just about hacking. For example, it currently costs £10 for an individual to get his or her data from an organisation under data protection law. Under GDPR, it will be free subject to various exemptions, such as repetitive requests, manifestly unfounded or excessive requests, or further copies. As a result, organisations can probably expect more individuals to want a copy of their data, including past and present customers and employees. The time limit for responding to these requests is 30 days, but if an organisation receives many requests from employees or customers, is it prepared to provide this personal data to them within the 30-day time limit?
Another key point is that, unless the individual requests otherwise, if a request is made in electronic form, the relevant information should also be provided in a commonly used electronic form.
Many people have focused on the threat of heavy fines under GDPR – up to €20m, or 4% of an organisation’s worldwide annual turnover. But what is also of concern is that if there is a data breach that poses a high risk to individuals – for example, if all credit card details are lost or stolen so that fraudsters can use those details – the organisation must notify those individuals.
If a firm has to notify its entire customer base of such a breach, this could lead to a rush of enquiries by concerned customers, and some may want to move to a competitor. Losing a large number of customers and business in a short period of time can severely affect a company’s reputation, revenue and stock price.
The Equifax data breach led to the company’s stock price falling by about 20%. Hence, damage to an organisation from a data breach may come swiftly, with any fines following later.
New elements of GDPR allow for individuals to: file a complaint with a data protection authority if their personal data has not been processed in accordance with GDPR; bring a claim against a data protection authority if it does not deal with a complaint properly; bring a claim against the organisation that has not processed their personal data in accordance with GDPR; and claim compensation from that organisation where the individual has suffered damage as a result of GDPR non-compliance.
Organisations fear this could lead to class action claims in the UK, as is prevalent in the US. One example of this kind of claim in the UK in the Morrisons case, in which the court ruled that thousands of staff were entitled to compensation from Morrisons because their personal data had been wrongfully posted online.
A lot of organisations have put off their GDPR readiness process – but the clock is ticking. Given that the regulation comes into force in May 2018, it does not leave a lot of time for an organisation to become ready for compliance.
It appears organisations might be delaying their GDPR readiness process for a number of reasons, such as: they think of it as a compliance burden that is somehow optional (when it is compulsory), or they are deterred by the perceived costs and resources associated with getting ready for GDPR.
The ICO’s view tends to be that every new piece of legislation has an impact – and GDPR is no different.
This article was written by Jimmy Desai and Emmanuel Vranakis, who are are lawyers at Keystone Law.