The EU General Data Protection Regulation (GDPR) is not to be ignored. Swooping in from a Europe that has looked increasingly distant since the results of the 23 June referendum, the GDPR is intended to strengthen consumer rights and simplify regulation across 28 countries with a single approach. But it's seen as arcane in some camps, and impenetrable in others. New research showed that nine out of ten European businesses are unsure exactly how to become compliant when the regulatory hammer comes down on May 25 2018.
Recently, The UK's deputy information commissioner, Steven Wood, relayed the confusion that british businesses feel about the GDPR. Do UK businesses currently facing Brexit even need to comply with a law that will come into effect in 2018 only for it to be made redundant when the UK pulls out of the EU in 2019?
Check out our post roundtable interview with Conor Ward below.
“Some people think that Brexit coming along means we don't have to do anything here. Well we do” said Conor Ward, a lawyer specialising in IT at Hogan Lovells International LLP and one of our speakers for yesterday's Roundtable, entitled “Are you ready for EU GDPR?”
Fact is, even in the unlikely event that business escape the regulatory gaze of the GDPR, there are plenty of other regulations coming in with many of the same provisions that the GDPR sets out. Even if some think they can escape one, the NIS Directive and PSD2 for the financial sector, may well get them. And if you do business with the EU or hold data on EU citizens, GDPR will apply even after Brexit.
|Conor Ward and Victoria Hordern of Hogan Lovells International LLP|
“It is almost impossible to say anyone is absolutely ready”, said Victoria Hordern, a senior associate at Hogan Lovells International LLP and a legal expert in privacy and information law. However, she added, “if your organisation is keeping in line with existing law, then your doing a pretty good job,” and well on your way to achieving compliance.
Much of the incoming regulation is founded upon the EU Data Protection Directive, set out in 1995. In some sense, the new regulation supercharges the now two decades old directive, establishing firmer penalties for rulebreakers, meticulous levels of compliance and hands more control over to the individual. The ‘Right to be Forgotten', for example, is one of the chief provisions of the regulation, allowing European citizens to request that their data be deleted by the companies and organisations holding that data.
The notion of consent is also changing, added Hordern, “you'll have to show a record and it must be collected in a way that is clear”. Consent to use that data will have to be made expressly clear, and in writing, not only for the customer and the data processor but for the regulator too. With its increased focus on ease of compliance, organisations will also be expected to have clear policies and procedures to be presented in case of an audit.
Which is not to forget enforcement, which will be more thorough, wider and punitive than anything the UK has seen before in the realm of data protection. When the hammer does come down, the regulator could issue fines as high as four percent of global revenue. The directive, as it currently applies, largely leaves each of the 28 member states of the EU to decide how exactly they want to enforce. The GDPR, said Hordern, “takes it from 28 different laws to one law”.
|Kimberley Barata, head of records management at Ricoh and Beverley Allen, group risk manager at Photobox|
Even though the UK government plans to leave the EU by 2019, UK businesses that want to do business in Europe will have to comply. In any case, said Hordern, “the UK is looking to move in a regime which closely reflects the GDPR.” So if it does not adopt GDPR, it will need an equivalent, deemed ‘adequate' by the EU.
When GDPR does come into effect in 2018, the UK will witness a far more rigid data protection landscape. Ward added, “because of the lack of consequences under the existing regime a lot of people probably do not comply.” The £400,000 fine recently levied on TalkTalk, may yet seem paltry in comparison.
It has been strongly suggested, said Hordern, “that the way regulators are seeing this are almost the way anti-trust fines are seen”, which is to say fines may well be given not as a slap on the wrist but closer to a coup de grace.
While enforcement is currently used relatively sparingly, with much left up to the interpretation of the regulated, this will no longer be the case.
|Stephen Murgatroyd, director of operations, Institute of Operational Risk|
Michael Everall, head of information security at Fidelity National Information Services, pointed to a Reuters story showing that UK organisations had been systematically under reporting breaches, because they get to decide what is and what is not a material breach. While the GDPR, said Everall, is “marginally better it stills leaves a lot of room for interpretation”.
The provisions laid out are not all absolute. A data breach will have to be reported to a regulator within 72 hours, unless you can argue that the breach is unlikely to harm the the individuals whose data you hold by being, for example, encrypted or pseudonymised. And you only need to tell the subjects themselves if there is a high risk of material harm.
What and whether to report is a deeper question that one might expect. Thinking about what to protect is largely dependent on what one considers to be personal and non-personal data.
“If organisations have to actually raise their game” in terms of protecting the data, said Neil Brown, CEO of Storm Guidance, “they might as well apply it to every kind of data”, as well as personal data.
|Mike Everall, head of information security at Fidelity National Information Services, and Neal Brown, CEO of Storm Guidance
Stephen Murgatroyd, director of operation at the Institute of Operational Risk added that the idea of partitioning your data “begs the question if it's not that important, why keep it at all?”.
Moreover, added Murgatroyd, “The human factor of what people think is important and what people think is not important, and what is material and what is not material is subject to human biases”. The problem with human biases is that they “can change day to day on whether you got your coffee that morning”.
It's not just customer data that needs to be looked after either.
Kimberley Barata, head of records management at Ricoh has noticed this blind spot before. She said that a lot of people make a distinction between customer and employee data: “they have to manage the data about their customers but not their employees - colleagues in other organisations are fighting this huge battle trying to get them to see that it's their employees too.”
A company like Morrisons will know this well. The supermarket chain isnow being sued by thousands of its employees for failing to stop employee data being leaked by a malicious insider.
It's all well and good for CISOs, security teams and people whose job it is to protect data, but unfortunately that old cliche of IT security confronts itself again: what do you tell the board? And how do you get them to give you the money you need to comply?
Whatever regulatory environment we end up with in the coming years, the buck may eventually stop there. Ward cited that the UK's Information Commissioner has already said that it wants the ability to hold directors to account. Under the GDPR, many organisations will need to appoint a data protection officer, with sufficient expertise, to oversee compliance within the organisation. More than that, they have to be in direct contact with management?
|Robert Saunders, lead security architect at Barclays and Max Dalziel director of KY3P, IHS Markit|
Privacy by design is another key part of the GDPR. Retrofitting brings problems said Ward, “it becomes very expensive and not that effective”.
But, added Everall, “retrofitting like this happens every day with every company”, Often, “you have no choice”, he said. Whether it's more expensive or not, regulators may not care.
“If you've taken no steps to comply”, said Ward, “someone's going to be made an example of”.The key message was loud and clear, it will apply to you, you need to prepare, budget and plan, and you need to do it now as it's more complex than many realise.