A year ago, Simon Quarmby of Ownet Consulting wrote a paper entitled; GDPR – Tick Tock, Tick Tock – GDPR – Tick Tock, Tick Tock
At the time he was alerting Ownet Consulting clients to the large amount of work ahead for any organisation that handled personal data, in order to be compliant with the European General Data Protection Regulation (GDPR) by 25th May 2018. Well, now that the deadline has been and gone, can we all forget about GDPR and get back to running our businesses?
The straight answer is certainly not! That’s because GDPR is very much seen as an ongoing journey and not a destination. This means that whether your business was fully GDPR compliant or not on deadline day of 25 May, there is a continuing effort needed to maintain and embed compliance.
Elizabeth Denham, the UK Information Commissioner, recently commented that GDPR is not the new Y2K Millennium Bug, focussed on a fixed point in time. In 1999 there was genuine fear that systems would crash, and businesses would be thrown into turmoil at the stroke of midnight on 1st January 2000. As it happened, the forecast disasters never occurred, planes did not fall from the skies (thankfully!) and company IT systems did not meltdown. Within days Y2K was just an expensive memory for most people as businesses got back to…well doing business.
The Good…
GDPR has had a similar lead time – many companies and public organisations have been aware of and preparing for GDPR for 2 years and so were fully prepared and compliant in time for that implementation date of 25 May 2018. These were most likely the largest companies and public-sector bodies holding large amounts of sensitive personal data. They also will have had the financial and staff resources – the deep pockets – to fund large project teams to work on GDPR.
…the Bad,
On the other hand, some fast-growing entrepreneurial SME’s may have reckoned that GDPR had little relevance to them, especially if they were B2B rather than B2C and did not handle sensitive personal data (such as health records or child data). But a closer look will often reveal that these entities also handle some personal data, such as employee data and customer data if they sell to any individuals as well as corporations.
The Information Commissioner Office (ICO) has been open and refreshingly understanding in this regard. They appreciate that not all companies were fully ready and compliant for GDPR by 25 May. The regulator’s initial focus will be on the largest organisations and those collecting and processing the most sensitive data. So that should thankfully buy some time for everyone else. But the ICO is also clear that every organisation that handles personal data should have been compliant and that if there is a breach, complaint or issue that there will be enforcement. So, every company must have a plan and demonstrate that it is already working on getting there.
And the Ugly
So GDPR is not the new Y2K – because it’s not going away but is here for good. It will be enforced by regulators across Europe and there are significant fines for failure to comply (up to a hefty 4% of global revenue or Euro 20million – whichever is the higher). And one more thing – Brexit will not let the UK off the hook either! So, there is continuing work to be done whether your organisation is fully GDPR compliant already or not.
Large organisations with everything in place before the deadline
Even here there is a requirement for ongoing effort. It’s important that Data Protection becomes part of the DNA of an organisation. So, any new controls that were introduced specifically for GDPR compliance must be maintained and regularly tested. Routine training and refresher courses for staff, together with GDPR induction courses for all new starters will be critical for this.
Customers are now entitled to make Subject Access Requests to see all their personal data held by an organisation. There are fines for any business which cannot deliver this on a timely basis, so new processes need to be established for this and thoroughly tested. And Privacy by Design needs to be a guiding principal when launching new products and services, or when another business is acquired. If there is a significant change in the way personal data is held then a Data Privacy Impact Assessment needs to be completed. Data protection and data privacy are rapidly becoming front of mind for everyone – you just need to look at Facebook’s problems for a recent high-profile example. Large customer-facing organisations cannot risk the reputational damage of a public data breach and regulator fine.
In summary even the most GDPR compliant and ready organisations have to maintain this level of GDPR compliance, embed the principals of privacy throughout the organisation, and be prepared to assess the impact of any new technology or large-scale data processing change.
SME’s who have more work still to do
For these organisations there is no need to panic as long as they have a clear plan and resources to make it happen and can demonstrate that they are making good progress. But leave it too long and they will be at risk not only from the regulator but also from competitors who may spot and capitalise on a competitive weakness. More savvy consumers will begin to look carefully at who is handling their personal data. Being behind the curve on GDPR compliance will be seen as a red flag to consumers. So, what should organisations do if they are handling personal data and yet GDPR compliance has not been a top priority up to now?
Plan
Firstly, make someone responsible for GDPR, set up a project team and make sure that the team are given the necessary resources to achieve full compliance within a reasonable period. The ICO will not be impressed if this is going to take several years but are likely to be tolerant of a sensible plan that talks in months.
Prioritise
Perform an audit of your controls over the use and handling of personal data to identify the high-risk areas and ensure that any weaknesses are addressed as a priority.
Data inventory
Start off by identifying all the sources of personal data, how it is collected, stored, processed and archived. If this is not already documented with process maps and policies that’s a good starting point. Identify all the third parties that this data is passed onto, such as call centres or logistics providers.Controls
Make sure that solid controls over all personal data are put in place, including whenever data is passed to a third-party processor. Organisations may need to update any contracts with these vendors to ensure that they are also GDPR compliant with personal data. Usually a contract addendum is the best approach for this.
Communicate
The Privacy Statement from an organisation, telling its customers how it handles personal data and what are its customers rights under GDPR, is a mandatory requirement. But it is also a customer facing communication and needs to be seen as a marketing document rather than merely a legal requirement. Clarity and brevity are the main essentials here. Allow lawyers to have input but ensure that any customer communications about GDPR are written by marketing with the customer in mind.
Maintain and Embed
Once an organisation has become GDPR compliant, it needs to stay GDPR compliant! To repeat GDPR is not another Y2K bug. It is not going away and as customers get more aware of their GDPR rights they are likely to take more interest in who holds their personal data and how much care is being taking to keep it confidential. So, it is important to be prepared for subject access requests, right to be forgotten requests, and restriction requests on what can be done with that data. If these requests are not delivered within set time frames, then the data protection authority is very likely to get involved.
Companies with no presence in the EU that service or process data of individuals in the EU
Even if a company has no physical location in the EU they will still need to be GDPR compliant if they process or handle data directly of EU individuals. The company will need to appoint a representative based in the EU and ensure that they have the same controls in place for GDPR compliance.
Cross border processing
A further level of GDPR complexity occurs when a data controller passes data cross border, within or outside the EEA, or operates in more than one EU country. In this case it is necessary to identify where the ‘main establishment’ in Europe is – the country where central administration is based or where decisions about data processing are taken. Identifying the main establishment is important because it decides which data protection authority (such as the ICO in the UK) will be the lead supervisory authority. This is a central concept of GDPR – known as the ‘one-stop-shop principle’. Supervision of EU cross border processing should be led by only one supervisory authority.
In conclusion, the 25 May 2018 deadline signifies the start rather than the end of the GDPR journey for any organisation handling personal data. For those organisations not fully compliant, the message is clear – allocate resources and senior management support to ensure this happens rapidly. For all organisations, big and small, maintaining compliance and embedding a culture of data protection is an ongoing task that is just as important as achieving that initial deadline readiness. Data Protection is here to stay and the risks to a business, including large fines and damage to reputation, are much too high to ignore.
Ownet Consulting can assist clients with GDPR planning, compliance and controls. For more information on how we may be able to help your organisation please contact Jeremy James at jjames@ownet.co.uk