The GDPR learning curve
The new data protection laws – General Data Protection Regulations (GDPR) - that come in to force on the 25th May have been firmly on our agenda since last summer and understandable so, as a software studio that develops on-line database applications. But, over the last couple of weeks, other organisations and businesses finally seem to be waking up to the fact that they need to start thinking about and ensuring their business in compliant with the new regulations in a little less than four months’ time!
So, what have we learnt so far and how has our understanding of the regulations changed over the last few months?
1. There is no such thing as expert!
The Information Commissioners Office (ICO) are still publishing guidance and updating their website, as we speak with new guidance on the legislation; why, because the organisation responsible for enforcing data protection in the United Kingdom are still getting their heads around The EU General Data Protection Regulation (EU-GDPR) (shown below).
As with any legislation, there are areas within the GDPR that are ambiguous and will need further clarification; no doubt inside a court sooner or later as an organisation attempts to prevent the headlining fines of four percent of your turnover. I popped into see our company's legal advisor before Christmas and their reception was covered in fliers about GDPR, as solicitors love a little bit of ambiguity in the law ...
2. General awareness
There are over five million businesses in the United Kingdom, ranging from micro-businesses that employ less than five people, Small to Medium sized Enterprises (SME)s employing between 5 – 250 people and lastly corporates employing more than 250. Yet there are only a fraction of these businesses (under 100,000) registered under the current Data Protection Act, 1998.
GDPR is certainly creating awareness, but in a recent survey more than 50% of SMEs are still not aware of its existence!
3. Documenting data you hold
It is only in the last couple of weeks that the ICO have published some templates that can be used to document personal data that your organisation holds – GDPR Documentation – and has certainly helped us understand what is required and goes well beyond what we had initial understood.
The examples provide give you an idea of the personal data that falls within the legislation:
(a) Employees (contact, bank, pension, tax, pay and sick details as well as performance records).
(b) Candidates (contact details, qualifications, employment history, etc).
(c) Clients (contact details, purchase history and lifestyle information).
So, when you are tempted to say "these regulations don’t apply to my business", think again!
4. Explaining how you handle data
In its simplest form this means you need to update your privacy statement (that’s if you even have one) and make sure it complies with Article 13: Information to be provided where personal data are collected from the data subject. This should include details like:
(a) the identity and the contact details of the controller;
(b) the contact details of the data protection officer;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
These are not required in all cases and certainly isn’t an exhaustive list!
5. Individual’s rights
GDPR introduces a number of rights, as well as extended some existing ones; the right of access to personal data that is explained in Article 15: Right of access by the data subject extends the current requirements under the Data Protection Act, 1998. Other rights include:
(a) Article 16: Right to rectification
(b) Article 17: Right to erasure ('right to be forgotten')
(c) Article 18: Right to restriction of processing
(d) Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
(e) Article 20: Right to data portability
(f) Article 21: Right to object
(g) Article 22: Automated individual decision-making, including profiling
One of our clients asked about retention – in the context of the right to erasure – and further to some clarification, determined they were allowed to retain data under requirements for local taxation and product warranties, but you need to access each example on its own merits!
Consent is the cornerstone of data protection and Article 7 explains the conditions of consent. The headline here is that consent must be granular – i.e. highly detailed; having many small and distinct parts – and given freely. No longer can companies use “opt-out” or assume “opt-in”; refer back to my comments about documenting data (item 3).
GDPR sets the benchmark age of 16 years old, although individual countries can opt to reduce this age.
7. Data Protection by design and by default
GDPR coins a new phrase: by design and by default (Article 25: Data protection by design and by default) and also introduces Data Impact Assessments that in short will ensure data protection – from an individual’s perspective – to a massive step forward. Once GDPR kicks in the likes of Equifax, TalkTalk and others will struggle to get away with some of the blatant lack of safe guides of the past. But (and it is a massive but), GDPR sees your small business as no different to a global corporation; to quote the GDPR “the sheer number of legal provisions makes it difficult to keep track” [see dossier for proof (demo)]. One of our clients asked us about transfer to third countries last week and we advised them to seek clarification from the ICO, but having read the dosser for proof, it seems clear that if a recipient (of data) is in another country then the legislation applies; it is not if the data is actually moved to a third country. This has an impact ion any e-commerce retailer operating beyond the United Kingdom’s borders.
This area of the new regulations is a huge topic an one we have certainly focused on, as it impact our business. Any new technical solution has to be sure by design and by default, which put an onus on the data controller – that is you – to ensure we develop solutions that meet this requirement. We introduced our own security architecture several years ago that protects our on-line solutions, but the new legislation requires you to monitor your systems and report any data breaches within 72 hours after you discover the breach, so not been aware of a breach is no longer acceptable. As a result, there are a huge number of businesses now offering monitoring and detection services, penetration testing, etc., with a price tag to match!
We are not a law firm and I am not a solicitor and as a result this article reflects our current understanding of the new legislation, for specific information and guidance, you may well need to speak to your organisations legal advisor to ensure compliance.
No one know what will happen on the 25th May, but if you are an business owner / manager or run an organisation that holds personal data you need to access the risk of not complying and then determine what action you need to take. We’ve spoken to hundreds of people in the course of our work – prospects, clients, etc., – and we know that people are concerned about GDPR, but are equally concerned about how some organisations are completely unaware of the current legislation, let alone GDPR. We are also worried about how the Information Commission Officers (ICO) will deal with the inevitable increase in their workload.
The most important thing is to show that you are working towards compliance on or before 25thMay, as Elizabeth Denham (Information Commissioner) has said in her recent article GDPR is not Y2K, in which she said "it’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018".