So GDPR – is it just a state of mind, an attitude to data; or is it a tick-box exercise, the new PPI or millennium bug? We really need to know – do companies need to be scared, spending sums on solutions; and are the solution-pedlars snake oil salesmen, or professionally addressing a real need brought about by over -zealous legislation?
We’d like to say it’s a state of mind, needing small adjustments. We’d like to, but we don’t think we can. The reason we say this is not because of major changes is the regulations from the preceding Data Protection Act 1998. The principles are largely the same – some changes to reflect the huge changes in the world since 1998, so that data isn’t collected just by people filling in forms. But from that point of view, it’s a continuum.
We’d like to say it’s a state of mind, needing small adjustments. We’d like to, but we don’t think we can.
For most companies, previously data protection compliance was a matter, largely, of culture, paying £35 a year fee, registration and being broadly aware of the principle. Compliance was light. The level of fines made the risk small, and the cost of going overboard on compliance a nuisance. Obtaining a commercial advantage has largely trumped real data protection. In our dealings, some companies for whom collecting data is their business core have had only a passing acquaintance with their obligations.
The big changes in our view are around the ramped up need for transparency, accountability and governance - with a real understanding of what and where consent is needed, and when it actually isn’t; and then the salutary impact of maximum fines going from £500,000, to €20,000,000, or 4% of global turnover, whichever is greater. That’s a lot – in many businesses, a 4% margin is a dream.
The big changes are around the ramped up need for transparency, accountability and governance
Companies need to act, but the actions they need to take depend on what they do. For some, the main actions might be limited to training, updated policies and privacy notices (a little more); for all, there ought to be an analysis of their needs. There isn’t a single solution, and there isn’t a single piece of kit, or software, or manual which will provide the magic bullet. The snake oil isn’t the remedy. But doing nothing isn’t the remedy.
Businesses and charities should use the time until 25 May 2018 to acquire the knowledge to perform the necessary analysis. They may need external advice. They may be helped by the type of “toolkit” which we’ve developed, and have applied to our own business and to charities in which our people are involved. They may, indeed, need assistance from their software vendors, and they may need investment in technology. The regulations refer to technical and organisational measures, and those need to be run in parallel. The organisational measures go down a number of channels: training, documentation, record keeping, audit and analysis. Sometimes the next step leads to another, unfortunately, and that’s why now is a good time to start the journey.
There are areas where detailed guidance is still awaited from the Information Commissioner’s Office (ICO), or the EU. Our view though is that the principles are clear enough to be doing the necessary work, in a structured, careful way. Where do you go for assistance? Do you run to the solution-sellers?
We’d say - start with the ICO website, which is a great site. You may need external assistance – you probably need trusted professionals with a track record, not the newly-expert. There isn’t a magic bullet product-fix. It’s a process; a series of processes. And though going through these, the business will gain an understanding of the issues so that the protection of personal data becomes second nature, part of the culture. From that, the rest follows.
Paul Berwin is a leading technology and digital law specialist and heads Berwins Digital, the specialist IT and Technology division of Berwins