momius -

Organisations can use GDPR ambiguity to contest fines in court, experts say

Businesses can use the vagueness of the regulation to argue against fines in court, say experts

Companies can use the ambiguity of the General Data Protection Regulation (GDPR) to their advantage if they are accused of being non-compliant, experts say.

Paul Holland, information security lead at insurance firm Hiscox, told delegates at Cloud Expo Europe in London on 21 March 2018 that the uncertainty over the wording used in GDPR could prove problematic for organisations when it comes into force on 25 May 2018.

Holland said the laws are “very vague in a lot of statements” and expects to see many years of contests between the Information Commissioner’s Office (ICO) and organisations in court as a result.

“There’s not a lot of detail [in the regulation] as to what we [the companies] need to do,” he said. “A lot of it is down to interpretation. I can see us having probably 10, maybe 15 years of mitigation going on as companies start to challenge the regulation in the courts when they are starting to look at being fined.”

However, fellow panellist Gboyega Ayoade, GDPR project manager and data privacy lead at tobacco company Philip Morris International, said if organisations have a GDPR plan, the vagueness of the wording could work in their favour.

“What this lets a business do is argue that they interpreted the rules in a particular way, and if that turns out to be incorrect, the ICO can explain why,” he said.

“So what really matters is how you plan your GDPR project and how you plan to implement all those areas where there is no clarity.”

Read more about GDPR

He said businesses can do this because they have a right to try to be successful through their operations, just like people have the right to protect their data.

“Whether the plan is 100% accurate, in this case, does not matter because [with GDPR] the ICO itself does not have a regulation that is 100% clear,” he said.

“The plan is to satisfy the requirements of the regulations, and when it comes to the areas that are unclear, a business can ask the ICO ‘What exactly were you expecting?’”

“If their interpretation of the rules is different to the business that is being challenged, a business can then make it clear they have a responsibility to their customers, shareholders and staff to continue to operate,” said Ayoade.

Holland said organisations looking to do this will need to demonstrate they have considered what data they have and any risks associated with it.

“The plan is certainly the key piece for businesses, ensuring they’ve got that plan in place anywhere that might be slightly off from what the regulation might be saying.”

Preparing for the regulation date

Ayoade said one of the most important aspects of GDPR is ensuring employee awareness, as they deal with the data on a daily basis.

“You can put all the processes in place with the systems as much as you like, but your activity is what really drives the business,” he said.

“But if the people making the decisions about the use of data do not understand what GDPR is asking them to do, you’ll continue to have problems.”

Holland said businesses need to have a full understanding of their data and only retain what is critical to them.

“If you want to help yourself with the regulation, you move as much of that data as possible and keep only what is absolutely necessary for your business,” he said. “It just makes things easier to put controls in place if you’ve got much less data in there.”

Awareness and understanding your data are also the first two steps the ICO highlighted for business compliance with GDPR.

Read more on Regulatory compliance and standard requirements

Data Center
Data Management