When it comes to GDPR, what TCF is hearing from our clients and contacts falls into two categories:
“Help, GDPR is a huge challenge – what am I going to do about it on top of everything else?”
“The GDPR threat is completely out of proportion, I don’t know what the fuss is about.”
At TCF, our approach is pragmatic. Whilst we think that GDPR probably won’t make the sky fall in, it does need to be taken seriously and it does raise serious questions for most firms.. Anyone who thinks this will be another Y2K damp squib (remember that?) will have a nasty shock.
Why? Because organisations, possibly for the first time, will need to take a substantive compliance approach to data protection which is fully integrated with their mainstream control framework. For many this is a big step up.
Let us explain our thinking.
GDPR – or the General Data Protection Regulation – comes into effect in the UK on 25th May 2018. It is an EU Regulation but the UK Government has already indicated that it will be implemented in the UK irrespective of Brexit. Essentially it sets new comprehensive standards for handling personal data across the EU, in effect becoming a de facto international standard which countries like the UK pre and post Brexit will need to comply with in order to remain a part of the international ecosystem of personal data.
Some impacts – a big step up
GDPR is a big step up from existing Data Protection standards under the UK’s Data Protection Act and the EU’s Data Protection Directive. Overall, it creates bigger, tougher standards for firms to meet – with a more costly claims and penalty regime in place which puts more power in the hands of consumers.
This is substantially different to what firms have experienced before:
Bigger, because it applies to many more organisations including those that – have some ‘establishment’ in the EU which includes the ‘real exercise of activity’. So this can catch firms who work cross border and who don’t think of themselves as having big subsidiaries and operations in the EU. It also applies to data processors for the first time by covering organisations who process data for others. It catches more data by changing the definition of personal data to information which is capable of relating to ‘identifiable’ people – so in other words, a firm may have personal data which it does not even recognise as personal data. And it includes in its definition of ‘sensitive’ data’, a broader definition which includes biometric and genetic data.
Tougher, because it gives consumers more rights, such as the ‘right to be forgotten’ and provides more authority to data protection bodies such as the Information Commissioner’s Office in the UK. This authority includes allowing them to undertake on site audits, issue public warnings, reprimands and order compensation and remediation activity. It creates tougher compliance standards and, for example, for the first time, data processors will have data protection impact assessment and other documentary requirements to comply with as well as the direct liability for fines and supervisory action. It sets tougher standards for notifying data breaches meaning that certain types of breach should be notified within 72 hours of occurrence.
More costly, because it creates bigger sanctions which are on a par with anti-bribery sanctions, that is up to 4% of annual worldwide turnover and it makes it much easier for individuals to launch private claims for compensation. These claims can include damages for non-financial things like distress as well as quantifiable losses. And it enables data subjects to mandate data protection authorities to make claims on their behalf – a bit like a class action suit.
It’s all about risk
GDPR crucially introduces into the world of data protection a risk based approach that we haven’t seen before. It requires firms to risk assess their activities and implement mitigating actions dependent on the level of risk. It sets heightened requirements based on the level of risk. Risk based concepts run right through the GDPR, extending to the basis on which data protection authorities assess fines and actions. These are all new concepts for the data protection industry.
Is GDPR a ‘tsunami’ threat?
These are just some of the requirements, and some firms who have been contending with existing data protection requirements may feel they can take it in their stride. Others may feel that appointing a data protection officer (another requirement where the standards have risen) will be enough.
Neither approach, we would contend, will hold water in the longer term.
The trouble is that the Information Commissioner in the UK and other data protection bodies overseas have only acted publicly on a limited number of occasions. This will make the prospect of larger fines feel like a tsunami type threat – low probability, high impact – for many organisations.
But the chances of being reported, found wanting and being hit by significant costs and fines by the authorities are also greatly increased by the new and upgraded rights for consumers. These include the right to be forgotten, the ability to launch claims, claim damages and enforce rights. With a public that is increasingly sensitised to the protection of identities and the potential for social media to facilitate action groups the compliance risk is significantly increased. With data protection authorities armed with more powers, which go well beyond issuing fines, the expectations from the public and politicians is for significant action to be taken. It would be unwise to take a risk on this.
What this means for data protection compliance
In the UK, the Information Commissioner has been at pains to emphasise that GDPR will not be a box ticking exercise but rather a framework on which to build a culture of privacy which runs through the whole organisation. The emphasis on data minimisation and privacy by design is all over the ICO’s approach.
But for many firms (go on, be honest), data protection has to date been one of the lesser compliance priorities and has often been treated as a legal issue. You are ‘compliant’ or ‘not compliant’ as though this is just a single hurdle to be negotiated.
Culturally and structurally, data protection has often been run from the Legal or Operations Team rather than from the mainstream regulatory compliance areas and even where it has, in parallel with other compliance operations. Reporting and monitoring has often been separate and in governance terms, rarely treated (except when something has gone wrong) as on a par with compliance with the regulator giving you or maintaining your business licence.
What the GDPR does fundamentally is to require firms to engineer data protection into their mainstream compliance, risk thinking and operation.
But implementing a risk based approach backed up by a thought through data protection compliance framework will be challenging for a sector which is not used to this. This means using compliance policies, monitoring plans, risk assessments and reporting which is not standard across a data protection sector which has up to now been a bit of a thing in itself.
TCF’s experience, in working even with some sophisticated firms, has been that data protection staff have not been familiar with concepts of compliance monitoring, reporting and risk management in a personal data context. In our experience, it is not unusual to find firms where their data protection and privacy teams do not operate and have not needed to operate to the standards of policy, monitoring, reporting and governance which are required in other parts of the firm. Boards and senior management have regarded data protection fundamentally through a lens of whether or not they have had data breaches. Concepts of fair treatment which apply elsewhere have not incorporated privacy and data handling in a way which has built these concerns consistently into a holistic firm wide approach.
Operating in the new world
To operate in this GDPR world and to execute the necessary changes to practice and culture requires senior level buy-in. Clarity on the lines of responsibility are vital and having a data protection officer are key steps in this. Though they aren’t of themselves enough. Nor is the solution simply a tech one. Tech changes will be required but GDPR is about a fundamental change in the way organisations deal with data. There is tech out there which may promise data mapping and which can be of use, but that won’t of itself be enough.
We contend that getting started requires first, being honest about current standards of data protection compliance and taking a hard look at what your level of compliance is now. That means firstly reviewing your current compliance, skills and capability against not just data protection standards but against industry compliance standards. Secondly, properly reviewing your data processing activities, which means those which are in-house as well as those that are outsourced and/or delivered through suppliers. Together, these two activities should give you a pretty good idea of your exposure.
Meanwhile whilst we would all acknowledge that there is still seemingly a lot of detail missing from the ICO and Government guidelines, the ICO has been clear there will be no extensions to the implementation date even if the detail changes. And the GDPR itself provides a clear framework against which firms can measure themselves and work out what they will need to do.
Against this background at TCF we have been developing, with our Legal and with Tech partners, a thought through, joint approach to compliance and risk management in data protection – assessing the compliance gaps, supporting the necessary actions, providing practical data protection compliance tools and enabling development and improvement of firms’ internal approaches.
So is this just a case of ‘we would say that’ to sell you something?
No. We truly believe that GDPR is starting a compliance revolution for data protection. You can always talk to us. But if you don’t want to and you are the DP or the regulatory compliance lead for your firm, then you could make a good start by going to your opposite number and swapping notes.
We are all going to have to work together a lot more so we might as well start now.