Remember the little red books? No, not the thoughts of Chairman Mao. The red booklets that explained each of the Data Protection Act 1984 principles. As a young HR Manager, I was instrumental in setting up data protection in my multi-national employer when the '84 Act became law. I trained managers on the ins and outs, developed the paperwork for subject access, formulated controls, updated policies and procedures and implemented audits. Sound familiar? It should, because that is just what we are doing now with the updated GDPR regulations.
And the message? GDPR really is nothing new.
Scare tactics and panic
Over the last eighteen months, you will have read many articles about GDPR. Many authors use scare tactics to sell audit and other services to readers! And actually, it was pretty much the same in 1984.
Generally the reason why companies are panicking is because now, for the first time maybe, there’s legislation with teeth. Existing data protection, health & safety, privacy and employment law can substantially be ignored because unless a firm really transgresses, there’s little repercussion. Even quality management is optional! GDPR as legislation can’t be ignored.
So panic ensues.
The General Data Protection Regulation (GDPR) comes into force on 25th May 2018. As a Regulation, all EU Member States must adopt the legislation. In the UK, we will embrace the Regulation in a Data Protection Bill which will cover all elements of the GDPR and more.
The Data Protection Bill will supersede the Data Protection Act 1998 (DPA), which itself superceded the Data Protection Act 1984 and the Access to Personal Files Act 1987 and implemented the EU Data Protection Directive 1995. The Bill will also modify the Privacy and Electronic Communications (EC Directive) Regulations 2003
All organisations that process personal data about EU residents must be compliant with the new Regulation. The new Regulation allows people – data subjects - to have more of a say over the data held on them. It also introduces tougher fines for privacy breach and non-compliance
As with any new regulation there will be cries from business owners that “it’s too onerous” and “it’ll cost thousands to implement” and “it’ll take too much time”.
Mandating GDPR compliance is in essence like making the international quality standard, ISO9001, or the international information security standard, ISO27001, mandatory. Companies who already have strategy, a company system and ongoing auditing to demonstrate compliance (with whatever standards they choose to meet) will find that GDPR can dovetail simply into their existing activities with minimal change.
For well-systematised firms, GDPR will add little administrative overhead.
In response to these cries from others, GDPR will only be onerous, costly and time consuming if you are not currently managing your data effectively. Read on to see how you can manage the implementation of GDPR. It’s not as scary as some would have you believe.
What is GDPR and how does it work?
The ICO (Information Commissioner’s Office) states in one of their blogs "GDPR is an evolution in data protection, not a burdensome revolution"
At TimelessTime we couldn’t agree more.
For those firms that already manage data effectively and who comply with the DPA, the transition should be straightforward. Yes, there will changes to be made to ensure compliance with GDPR, but the current data management, audit process and good governance of existing company systems will ensure a smooth transition. For such firms the evolution to GDPR simply strengthens an already robust company system.
GDPR is really simple to understand.
Imagine for a moment that a firm has a snippet of personal information about you. Let’s say it’s something you’d rather keep private. How would you like that firm to behave?.............. Quite right! Now you understand GDPR.
It’s just a common sense set of requirements on firms to keep information private.
Now flip the situation round to look at your own firm. GDPR is about the way in which you acquire, use, share and generally look after data that can identify an individual. Just as you wouldn’t leave your passport, wallet or other person data lying around, neither should you leave the personal data of others lying around. You need to look after it – it’s private.
The regulations specify how personal data should be managed to ensure that information is kept safe and only used for the purpose for which it was collected.
There’s a common approach taken by all such regulations, laws and standards. These are as follows.
- Firstly, you must establish clearly the assets you possess and know why you have them. Under GDPR these assets are data on people.
- Secondly, you must determine the threats to the safety and integrity of this data. Those threats pose risks to the safety and integrity of the data.
- Thirdly, if the risks to the data are unacceptable, you must implement controls to reduce the risks to be acceptable.
- And fourthly, you must demonstrate by audit that the controls that you’ve implemented are effective.
This four-step approach helps avoid the view that GDPR is complex. It’s just another standard to be complied with – no more and no less onerous than any other.
There are of course some additional requirements because the data is about people – like the right of the data subject to know what data is held on them.
GDPR identifies three entities – a Data Subject on whom data is held and a Data Controller who in turn asks a Data Processor to process the data on his behalf and who benefits from use of the data.
Data assets and risks
The starting point for all should be to conduct an audit of the data held and the purposes for which it’s used. Remember that data can be held in paper format and in soft format on computers, laptops, tablets, mobile phones – indeed any device that will hold data. Data can be held locally, centrally in a firm’s servers, in UK-based ‘cloud’ storage or overseas. Determine what the data is and where it is held.
Some data will be held in the UK, some in the EU and some worldwide. You need to be aware of where data is stored and the data protection standards implemented by the storage vendor. For example, US firms such as Google sign up to the Active Privacy Shield. This framework provides a set of ‘robust and enforceable protections for the personal data of individuals from EU’ and entitles such firms to operate in a 'whitelisted country' (a country that is for all intents and purposes within the EU). This covers instances where that data is stored outside the EU.
The GDPR demands that, as Data Controller or Data Processor, you satisfy yourself that data from your Data Subjects will be safe. Initiatives like Active Privacy Shield help in this.
So, having determined what data you have and satisfied yourself about its safety, you can move to the next stage.
Privacy impact (risk) assessment
The focus on privacy should occur at the outset of any project or new system implementation, not as an afterthought. GDPR calls this ‘privacy by design’. Consideration must be given to how the data collection, storage and use will impact on Data Subjects. Controls must be put in place where an unacceptable risk is identified.
Privacy Impact Assessment (PIA) is a risk assessment discussed above. It ensures that the risks of data loss or inaccuracy are minimised from the outset.
The website of the Information Commissioner (ICO) has a code of practice for conducting PIAs. Whilst it’s a lengthy document, it does cover possible risks and causes the reader to consider how to mitigate those risks. The PIA is central to GDPR.
By adding a PIA assessment to an already robust company system enhanced consideration for protection of data will automatically occur.
Much has been reported about the high fines that will be metered out if a data breach occurs. Maximum fines of EUR20m or 4% of gross turnover (whichever is higher) will become effective from May 2018. Currently under the DPA, fines of up to GDP500k are possible along with prison sentences for blatantly breaching the DPA principles.
The current DPA regulations include a principle related to data breach. So, in reality, GDPR is no different from DPA, though the maximum fines are somewhat higher.
Data breaches occurring that are likely to result in a risk to the individuals’ rights and freedoms will need to be reported to the ICO. Whether or not the breach should be reported will depend on the risk posed to those Data Subjects whose data has been breached. You can read more about this in the ICO blog – Setting the record straight on date breach reporting.
This whole business of getting consent is getting firms in a stew!
There are two routes - consent and legitimate interest. In particular, consent is getting much press in marketing.
Simply, as a business, Recital 47 of the GDPR says that it's legitimate for you to market your products and services to other businesses. This is particularly so if all that the marketer is holding is names, addresses and emails. With such data there is limited privacy impact on the employee of the target company. Indeed, executives of the target company would expect to be marketed to - how else will they keep up with new events and solutions. Those executives have rights and freedoms of course, and hence any action by the marketer must be proportionate.
In marketing to consumers, the situation is different. In most circumstances the Data Subject will need to give their consent for data to be held. This means that firms must, for example, get consumers to opt-in to receiving their newsletters and not just assume that consent has been given.
By far the bigger issue is for companies that actually gather data for other uses, such as personality profiling and TimelessTime falls into this group. As an example, project by project, we will always get consent to process personal data. We then manage the processing and the data itself through 'privacy by design' and the Privacy Impact Assessment and controls activity described above.
Once data is collected it can only be used for the purpose for which it was collected. Access to the data must be restricted to those who need to use it. It must be securely held, and only for as long as it is needed.
Understanding risks to the data held and mitigating those risks are key in both the DPA and the new GDPR.
Firms that are compliant with ISO9001 and other standards involving systematisation of the business are likely to take the transition to the new Regulations in their stride. Yes, new processes may need to be developed. And yes, existing audit schedules will need to be extended to cover GDPR.
Privacy Impact Assessments will also need to be carried out at the outset of projects – but then a systematised business will do project risk assessments anyway. Such businesses just need to extend their scope to cover data held on Data Subjects. And finally, under GDPR, records are needed showing what data is held and where, so there is a record-keeping requirement.
Appointing a Data Protection Officer
This aspect of the GDPR regulations is causing many organisations great angst. Who should undertake the role? Should the role be contracted out? How onerous is it?
There are some circumstances where a DPO has to be appointed, for example in the case of a public authority or where the prime reason for the existence of the organisation is to process or control large amounts of data.
But if none of these apply, a DPO need not be appointed. For many firms, the situation is just the same as for other standards and legislation. If the firm has ISO14001, ISO27001 or ISO9001, someone should have responsibility to senior management for compliance. It is, therefore, probably worth appointing someone as DPO alongside those other resposibilities, even where there’s no legal need.
The role of the DPO
The DPO role is pretty much the same as those persons responsible in the firm for maintaining compliance with other standards. There are several tasks that need to be done. The key role is to make sure that compliance monitoring is undertaken. Generally, compliance is done by periodic audit, just as for quality, information security, health and safety and others. The DPO is responsible for ensuring that employees understand their privacy obligations just as with other standards. They also ensure that Data Protection Impact Assessments (DPIAs) are undertaken where appropriate. The DPO is also the contact point for the ICO and for data subjects.
There is no qualification required to be a DPO – and no qualification available - but like other standards, the person must report in to senior management, be independent, adequately resourced and have a good understanding of privacy obligations in their organisation.
Can GDPR be contracted out?
The management of GDPR and the role of DPO can contracted out, but TimelessTime strongly suggests that this is not done. Here’s why.
The data to be audited and managed is private. By contracting out this role you will need to have in place a robust agreement with your GDPR services supplier to give confidence that your data is safe. You better also undertake a DPIA before you even think of this because the very appointment of an external supplier is likely a privacy risk!
The supplier undertaking the role of DPO will be the person that the ICO liaises with. Your data subjects will approach that external organisation regarding any data breach or subject data access. Will the supplier then collate (and hence have sight of) all the data that is needed, or will you have someone in your organisation do this? And will you then pass this data to the supplier to send to the data subject? Messy!
Have I managed to convince you that the DPO should be an internal appointment?
So is GDPR compliance onerous?
Maybe it will be if you are not used to conducting risk assessments or auditing to prove compliance on other subject areas like quality, health & safety or information security.
Yes, there is work to do. Yes, it will take some time and effort. But GDPR compliance will enhance business processes, making the business more effective and that will add to competitive advantage.
GDPR compliance is a benefit, not a cost.
TimelessTime can help you
If you need help in setting up your systems, developing training for your staff and working out what you need to audit and how to undertake data protection impact assessments we can help. We can undertake a project to help you put in place everything you need to manage GDPR yourselves. We’ll then train you and your DPO to run your system.
If you’re adamant that you want to appoint an external organisation to manage GDPR and act as DPO, we can undertake that role for you. We’d effectively become part of your HR team and manage the whole process on your behalf. That is, until we can demonstrate to you that you need to take it back in house!