Preparation for compliance with the General Data Protection Regulation (GDPR) is essentially a change management programme, according to Emma Butler, data protection officer (DPO) at digital identity firm Yoti.
“This is not something you can leave to the lawyers to deal with and the rest of the company can carry on as normal,” she told a recent discussion about the legislation hosted by IT industry body TechUK.
“It is change management because there are policies, processes, technologies and cultures at stake, many of which you need to change and adapt,” said Butler, who is responsible for the three-year-old startup’s GDPR planning and keeping the 150 employee company on track for GDPR compliance.
The amount of change will vary between organisations because everybody is in a different business and stage of compliance, she said. While it may be fairly limited for some, it may be fairly significant with “quite an impact” for others because of all the personal data handling requirements introduced by the GDPR, she added.
However, Butler said organisations should view the GDPR as an opportunity to do information governance really well and identifying what is needed, rather than as a threat to business models and innovation.
“There are threats and risks, but if you look at it like that then you are going down the wrong path and you are just not going to get anywhere,” she said.
By doing a gap analysis, Butler said many organisations may find that they will need to streamline their operations, but this often results in cost savings.
“In mapping your data, finding out where your data is and really understanding what you have got, you might find an opportunity for a new product line. That is the approach you have got to take,” she said.
Present business benefits to management
“Use the fines and the share price impact as your backup stick should you need to, but if you can present it as a way to help the business to develop and grow you will probably be in a much better place.”
The GDPR is widely expected to drive better practices and security controls around personal data because of the potential fines of up to €20m or 4% of global annual turnover, whichever is greater.
But Butler said organisations should focus on being more customer-centric and building consumer trust rather than simply complying with the GDPR.
“It is about taking a more holistic view of what an organisation is doing about information governance that involves information security, marketing, HR and product development to ensure that the organisation is improving its information governance across all departments, rather than being a tick box compliance exercise that the lawyers or DPOs sort out in a corner somewhere,” she said.
Data consent biggest GDPR worry
One of the biggest concerns for organisations is the GDPR’s requirement for explicit consent, polls have revealed, but Butler said this concern often stems from the misplaced idea that they have to choose consent as the lawful basis for the data processing they want to do or the realisation that they should not be using it in the first place.
“For too long companies have been doing ‘pretend consent’ and treating it as the thing to do, when in most cases it is the last condition for processing we should look at, and in reality a lot of the processing in companies is done on another basis. It isn’t done on consent because there isn’t a genuine choice,” she said.
“[The GDPR requirement around consent] is forcing companies to take a hard look at what they are doing, and consider if the individual says ‘no’ whether the processing will still happen, and in most cases it will, so it is not a real choice.”
Butler believes that once organisations identify the actual reason or basis for the processing they are doing, most of the concerns around consent will disappear.
Regulation will differ between interpreters, says Butler
Turning to the GDPR-related risks, she reiterated the information commissioner’s office (ICO) view that organisations cannot wait for all the regulator guidance to be in place before taking any action.
However, Butler said the lack of regulator guidance and the lack of UK implementation from the government is a problem for some organisations.
For example, she said, the right to data portability is brand new for organisations outside the energy and financial sectors that have had some experience of this.
Other sectors are struggling to come to grips with how data portability will work and what technological and process changes they need to implement to make data portability possible.
One of the first questions is going to be about what is in scope, but this presents a problem for many organisations, said Butler.
“The [GDPR] defines scope one way, guidance from the regulators widens it, and the European Commission says the regulators have gone too far, so the DPO is confronted with the problem of deciding who to follow,” she said, because each one has different cost implications.
The other sort of risk for pan-European companies, said Butler, is that the GDPR is supposed to be a harmonised regulation, but it clearly is not.
“There are going to be a lot of national difference, not only just in the law, but also in the regulator interpretation and enforcement action,” she said.
Butler said there is a lot of co-operation between regulators and it will have to increase, but she said it is not difficult to imagine a situation in which two or three regulators may have very different views on the interpretation of some part of the GDPR.
“That is a risk and a challenge that is facing companies operating across Europe because we don’t know exactly how things will play out in different countries, and there are some regulators that are more likely than the ICO to get you on a technicality, which is difficult to manage,” she said.
Butler said while organisations need to be honest about these kinds of risks and challenges, they should approach the GDPR positively as an “opportunity to get information governance nailed” and show that they can be trusted, which she said is the best approach.
Read more about GDPR
- GDPR: One year to compliance and opportunity.
- Finding customer data is big hurdle to meeting GDPR right to erasure.
- Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017.
- The Information Commissioner’s Office sets out plans for publishing guidance on the EU General Data Protection Regulation.