Over the last year, you will have read many articles about GDPR. Many authors use scare tactics sell audit and other services to readers!
Generally the reason why companies are panicking is because now, for the first time maybe, there’s legislation with teeth. Existing health & safety, privacy and employment law can substantially be ignored because unless a firm really transgresses, there’s little repercussion. And quality management is optional! GDPR can’t be ignored.
So panic ensues.
The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. As a Regulation, all EU Member States must adopt the legislation. In the UK, we will embrace the Regulation in a Data Protection Bill which will cover all elements of the GDPR and more.
The Data Protection Bill will supersede the Data Protection Act 1998 (DPA)
All organisations that process personal data about EU residents must be compliant with the new Regulation. The new Regulation allows people – data subjects - to have more of a say over the data held on them. It also introduces tougher fines for privacy breach and non-compliance
As with any new regulation there will be cries from business owners that “it’s too onerous” and “it’ll cost thousands to implement” and “it’ll take too much time”.
Mandating GDPR compliance is in essence like making the international quality standard, ISO9001, or the international information security standard, ISO27001, mandatory. Companies who already have strategy, a company system and ongoing auditing to demonstrate compliance (with whatever standards they choose to meet) will find that GDPR can dovetail simply into their existing activities with minimal change.
For well-systematised firms, GDPR will add little administrative overhead.
In response to these cries from others, GDPR will only be onerous, costly and time consuming if you are not currently managing your data effectively. Read on to see how you can manage the implementation of GDPR. It’s not as scary as some would have you believe.
What is GDPR and how does it work?
The ICO (Information Commissioner’s Office) states in one of their blogs "GDPR is an evolution in data protection, not a burdensome revolution"
At TimelessTime we couldn’t agree more.
For those firms that already manage data effectively and who comply with the DPA, the transition should be straightforward. Yes, there will changes to be made to ensure compliance with GDPR, but the current data management, audit process and good governance of existing company systems will ensure a smooth transition. For such firms the evolution to GDPR simply strengthens an already robust company system.
GDPR is really simple to understand.
Imagine for a moment that a firm has a snippet of personal information about you. Let’s say it’s something you’d rather keep private. How would you like that firm to behave?………….. Quite right! Now you understand GDPR.
It’s just a common sense set of requirements on firms to keep information private.
Now flip the situation round to look at your own firm. GDPR is about the way in which you acquire, use, share and generally look after data that can identify an individual. Just as you wouldn’t leave your passport, wallet or other person data lying around, neither should you leave the personal data of others lying around. You need to look after it – it’s private.
The regulations specify how personal data should be managed to ensure that information is kept safe and only used for the purpose for which it was collected.
There’s a common approach taken by all such regulations, laws and standards. These are as follows.
- Firstly, you must establish clearly the assets you possess and know why you have them. Under GDPR these assets are data on people.
- Secondly, you must determine the threats to the safety and integrity of this data. Those threats pose risks to the safety and integrity of the data.
- Thirdly, if the risks to the data are unacceptable, you must implement controls to reduce the risks to be acceptable.
- And fourthly, you must demonstrate by audit that the controls that you’ve implemented will be effective.
This four-step approach helps avoid the view that GDPR is complex. It’s just another standard to be complied with – no more and no less onerous than any other.
There are of course some additional requirements because the data is about people – like the right of the data subject to know what data is held on them.
GDPR identifies three entities – a Data Subject on whom data is held and a Data Controller who in turn asks a Data Processor to process the data on his behalf and who benefits from use of the data.
Data assets and risks
The starting point for all should be to conduct an audit of the data held and the purposes for which it’s used. Remember that data can be held in paper format and in soft format on computers, laptops, tablets, mobile phones – indeed any device that will hold data. Data can be held locally, centrally in a firm’s servers, in UK-based ‘cloud’ storage or overseas. Determine what the data is and where it is held.
Some data will be held in the UK, some in the EU and some worldwide. You need to be aware of where data is stored and the data protection standards implemented by the storage vendor. For example US firms such as Google sign up to the Active Privacy Shield. This framework provides a set of ‘robust and enforceable protections for the personal data of individuals from EU’. This covers instances where that data is stored outside the EU.
The GDPR demands that, as Data Controller or Data Processor, you satisfy yourself that data from your Data Subjects will be safe. Initiatives like Active Privacy Shield help in this.
So having determined what data you have and satisfied yourself about its safety, you can move to the next stage.
Privacy impact (risk) assessment
The focus on privacy should occur at the outset of any project or new system implementation, not as an afterthought. GDPR calls this ‘privacy by design’. Consideration must be given to how the data collection, storage and use will impact on Data Subjects. Controls must be put in place where an unacceptable risk is identified.
Privacy Impact Assessment (PIA) works with the risk assessment discussed above. It ensures that the risks of data loss or inaccuracy are minimised from the outset.
The website of the Information Commissioner (ICO) has a code of practice for conducting PIAs. Whilst it’s a lengthy document, it does cover possible risks and causes the reader to consider how to mitigate those risks. The PIA is central to GDPR.
By adding a PIA assessment to an already robust company system enhanced consideration for protection of data will automatically occur.
Much has been reported about the high fines that will be metered out if a data breach occurs. Maximum fines of EUR20m or 4% of gross turnover (which ever is higher) will become effective from May 2018. Currently under the DPA, fines of up to GDP500k are possible along with prison sentences for blatantly breaching the DPA principles.
The current DPA regulations include a principle related to data breach. So in reality, GDPR is no different from DPA, though the maximum fines are somewhat higher.
Data breaches occurring that are likely to result in a risk to the individuals’ rights and freedoms will need to be reported to the ICO. Whether or not the breach should be reported will depend on the risk posed to those Data Subjects whose data has been breached. You can read more about this in the ICO blog – Setting the record straight on date breach reporting.
In most circumstances the Data Subject will need to give their consent for data to be held. This means that firms must, for example, get people to opt-in to receiving their newsletters and not just assume that consent has been given.
Once data is collected it can only be used for the purpose for which it was collected. Access to the data must be restricted to those who need to use it. It must be securely held, and only for as long as it is needed.
Understanding risks to the data held and mitigating those risks are key in both the DPA and the new GDPR.
Firms that are compliant with ISO9001and other standards involving systematisation of the business are likely to take the transition to the new Regulations in their stride. Yes, new processes may need to be developed. And yes, audits existing audit schedules will need to be extended to cover GDPR.
Privacy Impact Assessments will also need to be carried out at the outset of projects – but then a systematised business will do risk assessments anyway. Such businesses just need to extend their scope to cover data held on Data Subjects. And finally, under GDPR, records are needed showing what data is held and where so there is a record-keeping requirement.
So is GDPR compliance onerous?
Maybe it will be if you are not used to conducting risk assessments or auditing to prove compliance on other subject areas like quality, health & safety or information security.
Yes, there is work to do. Yes, it will take some time and effort. But GDPR compliance will enhance business processes, making the business more effective and that will add to competitive advantage.
GDPR compliance is a benefit, not a cost.