Go to any business meeting or networking event at the moment and one of the hot topics you often hear mentioned is data protection – or more specifically the General Data Protections Regulations, which come into effect on 25 May 2018.
So, while you may have heard of GDPR and rumours of GDPR, in our experience the business world is split into bits over what it all means, from those who’ve never heard of it to proclamations that the sky’s falling in; opinions that it’s business as usual, just an update to calls for matters to be taken seriously (and of course everything in between) In our opinion, somewhere in between seems about right.
The facts explained
The Information Commissioner’s Office (ICO) has been publishing a wealth of material about GDPR, with more coming out all the time. Most recently it has published a series of “myth busters”, presumably to take the heat out of some of the more extreme communications and hard-sells going around. The broad tenor is – nothing to panic about, it’s evolution not revolution.
whilst companies shouldn’t be panicking about GDPR that doesn’t mean that to do nothing is a viable option
This is quite right – this is evolution not revolution, and it does build on the existing framework which businesses should be aware of. But whilst companies shouldn’t be panicking, that doesn’t mean that to do nothing is a viable option – if this were so evolutionary, the ICO would be publishing less.
The principles of data protection
The principles have not changed in a major way; there is reference to biometric data and automated decision making, taking account of the changes in technological capability since the 1995 Directive on which the 1998 Data Protection Act was built.
For many companies, though, their actions, if any, in response to the requirements of the Act were limited to paying a £35 fee to the ICO, and generally not letting their data float around. Data Protection, like Health and Safety, became one of those phrases dredged up as a reason in itself for doing or not doing something. We’d hear of companies being fined, for letting loose large amounts of sensitive data; but generally data protection has been treated as quite a lazy tick box.
The changes around the corner won’t allow a lazy approach, and this is why we’re inclined to think that myth busting and “evolution not revolution” are an invitation to ratchet down the reality of what needs doing. The big changes - not the only ones, by any means – are around:
- The duty to report
- The role of Data Protection Officers
Exploring the changes
The first – accountability – is perhaps the biggest change. It’s not enough to give a general thought in the direction of Data Protection, pay £35 registration fee and be done. Every business has to make a conscience and recorded ongoing act of assessing its data assets, measuring them against the data protection principles and data subject rights, making and recording a correct decision as to how the assets are to be treated and protected, in some cases carrying out a data impact assessment, and reviewing all its processes to make sure that privacy is designed-in. This is a big change in perspective, culture and process, even where the outcome might be slight. If a business hasn’t conducted the accountability process, it’s at risk. That is the case even if after going through the process, the changes it has to make to its documents, consent mechanisms and processes are slight. It will be rare that they are that slight.
The governance requirement also represents a culture change. For many businesses, if data protection was anyone’s responsibility, it was regarded as an IT issue. It never was, and it certainly isn’t now; it’s a board level issue. Companies should be making sure that the board is on top of data protection issues, and there is a thorough reporting and recording mechanism for the board. The ICO sees this as a positive, in that good Data Protection governance will mean businesses are looking after their customers and their customers’ personal data. This may be so, but businesses – especially smaller ones – see their role as making profit for the business, providing good service to the customers; but not doing so as a side effect of regulatory imperatives.
For many businesses, if data protection was anyone’s responsibility, it was regarded as an IT issue. It never was, and it certainly isn’t now; it’s a board level issue.
A further change is the duty to report the destruction, loss, alteration or unauthorised disclosure of or access to personal data if that is likely to lead to risk to the rights or freedoms of individuals. This doesn’t sound like a big one; but the burden will be on businesses to show why they haven’t reported it. Again this will mean a documented decision making process carried out with an independent view, not to the benefit of the business but to the rights of the individual – the customer, or the employee. There has to be someone in the business, or engaged by the business, with the knowledge of the legislation and the authority to take a robust independent view. That is quite a change.
Making an appropriate appointment
Companies will therefore (and because of the legislation) need to consider whether they have to appoint a Data Protection Officer. They will have to unless the company has fewer than 250 employees or is otherwise not engaged in activities such as behaviour analytics. Our view is that many smaller companies will need to appoint a DPO, or justify why they have taken the view that they don’t need to.
A DPO will need to inform and advise the organisation and its employees; monitor compliance, advise and train; and be the point of contact with the ICO. That’s a big set of responsibilities, and a big set of skills to have. How widespread are those skills? They will need to be acquired. In addition, companies are going to have to ensure that the DPO and the data protection programme is properly resourced. The DPO should be at Board level – that’s a major governance change; and cannot be dismissed or penalised for conduct of that role.
Understanding the cost
The last of the big five change is around the penalties. Currently these are a maximum of £500,000. From 25 May 2018 these will be 20 million Euros (currently the proposed post Brexit equivalent is given as £17m), or 4% of globalturnover whichever is the greater. That’s a massive hike, and companies undeterred by the current fines are now thinking they need to take notice.
This is happening; it is happening regardless of Brexit; and whilst we are not panic merchants, or instant-answer finders, we tend to think the myth buster message obscures what aren’t myths – that companies have a lot to do, in a diminishing period of time. They need to have a programme for readiness, and appreciate that this is going to be ongoing.
companies have a lot to do, in a diminishing period of time
Leaving this to March or April 2018 ought not to be an option; but we suspect it will be an option which many will take. We say – with or without external support, start the process as soon as you can, and map out how you will be ready by 25th May. It will be quite tough, and will involve discipline; and it will uncover slack practice, for sure. It just has to be done.
Paul Berwin is a leading technology and digital law specialist and heads Berwins Digital, the specialist IT and Technology division of Berwins