GDPR Compliance – The Sky Is Falling

Over the past few months, I’ve been speaking to more and more business owners about their concerns regarding GDPR (General Data Protection Regulation), which becomes law on 25th May 2018.

The concerns appear to come from misinformation and fake news over GDPR. There are the scaremongers, reporting on the increase fines that an organisation could face. While it’s true GDPR has increased the levels of fines to 2% of an organisation’s global turnover, and for more severe incidents €20 million or 4% of turnover, whichever is the larger, it’s unlikely that fines will rocket. Elizabeth Denham, the information commissioner for the UK, stated in a recent blog,

Denham continued to say that; “The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.” This statement holds true when you look at last year (2016/2017) when the Information Commission concluded 17,300 cases and only 16 resulted in fines for the organisations concerned.

Where some organisations are selling on fear others are selling GDPR snake oil which magically makes your business GDPR compliant. I’m sure you’ve seen posts and blogs from businesses out there talking about GDPR and then selling something completely unrelated. Ironically, most of these sites are offering “free” guides on GDPR, but only after you have blindly handed over your personal details and without any explanation as to the basis of what they plan to do with your data after, which is kinda what GDPR is trying to prevent.

What these organisations are missing is what this new law is really about – greater transparency, enhanced rights for citizens and increased accountability. And this is something we should all be aiming for right now, isn’t it?

Don’t get me wrong, there are some useful technologies out there such as the Microsoft Compliance Manager to help with the documentation of controls, and even application and data archiving & e-discovery solutions to help audit or centralise data that could then assist with subject access requests. Don’t be rushed into purchasing that GDPR technology-based solution without first understanding why you actually need it.

To help organisations better understand what GDPR is all about, the ICO in the UK has created a useful guide. This guide is freely available from https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf and puts 12 simple steps in place to help address any personal data issues you may have.

Step 1. Awareness

Often difficult to do in a busy or growing business, but decision makers and key people in an organisation must be aware of exactly what GDPR means to them. After reviewing the guide you may feel that implementing the GDPR will have a significant impact on internal resources, especially for larger and more complex organisations. There is plenty of help available, but don’t be fooled into thinking that these organisations will significantly reduce the internal load.

Step 2. Information you hold

This is the real key to GDPR, knowing exactly what personal data you hold and document, where it came from, was permission given to store the data, and also who has the information been shared with? You may need to organise an information audit in order to fully answer this question.

Step 3. Communicating privacy information

You should review your current terms of service and privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. Be clear both internally and externally what information you hold and what you need it for.

Step 4. Individuals’ rights

Something which I feel is being overlooked is the rights of individuals, but at the end of the day, this is what GDPR is all about. So make sure that you’re not holding personal information unnecessarily and check that you have procedures in place which removes personal data once it is no longer needed.

Step 5. Subject access requests

With GDPR individuals will have the right to be forgotten and can request that an organisation remove and delete data, as long as there is no compelling requirement to keep it. For many organisations today this could be a huge task, especially if you have to wade through every system, network, back-logs and even, your wider supply chain for an individual’s data. This could take days depending on how much, how old and how difficult the data is to locate. You should, therefore, make sure you have procedures and plans in place to handle these requests.

Step 6. Lawful basis for processing personal data

There are five additional ways of processing data that may be more appropriate than consent. You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

Step 7. Consent

Today’s data protection law requires you to get a clear, affirmative action of consent. With GDPR this goes a little further and you can no longer use pre-ticked opt-in boxes when obtaining consent, you also need to make it easy for people to withdraw consent too. If you haven’t obtained consent for the data you hold you will need to unless there is a lawful basis for you holding this data.

Step 8. Children

Do you offer goods or services that may be used by children? Even if you don’t you may need to start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

Step 9. Data Breaches

One of the main areas of the GDPR is transparency, with what you hold, and also what happens if you lose personal data. Make sure you have a process in place to detect, report and investigate any personal data breach or loss. You may need to report certain losses to ICO for example if the data loss could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

Step 10. Data Protection by Design and Data Protection Impact Assessments

It’s always a good idea to adopt a privacy by design approach, so I’d recommend that you become familiar with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

Step 11. Data Protection Officers

GDPR isn’t something to be taken lightly, but the sky isn’t falling either. There is some work that will be required, but there are people out there that can help. However, my recommendation would be to appoint someone internally to take responsibility for data protection compliance. If you are a larger organisation or have a complex structure you may need to consider a designate a Data Protection Officer.

Step 12. International

If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

GDPR Compliance — It’s Going to Be OK

In summary, like I’ve already said, The General Data Protection Regulation isn’t something to be taken lightly, but it’s not something to be scared of either, the sky will not fall, the sun will rise in the morning, everything is going to be OK. You’re probably doing most of what’s required already or similar due to existing data protection or maybe even PCI DSS requirements etc. GDPR should be seen as a positive step up, making organisations and businesses more transparent and open with what they do with our personal information. Take advice from experts, I’d recommend you get some independent legal advice first, many law firms are offering free webinars so sit in on a few. Once you understand how the GDPR will affect you, you can start to work through these 12 steps. Good luck and I hope this article helped point you in the right direction.

Information and links from ICO licensed under the Open Government Licence.