The General Data Protection Regulation (GDPR) becomes effective on 25th May 2018. Those who assume that this is all to do with IT and Security are likely to have a rude surprise. Are you ready or is a serious threat hanging over you?
St John the Divine prophesied the Four Riders of the Apocalypse: Conquest, War, Famine and Death. For many directors today, the four riders are G, D, P and R. These are not just boring regulation to be consigned to the deputy under-manager for Tedious Matters, they have regulatory teeth and in the hands of an informed activist with a grudge, are as sharp as the rider’s blade. They do not knock politely: these four break the door down when they come.
GDPR is an update to the Data Protection Act that was issued on 27th April 2016. The original was passed into UK law in 1998. The internet was then largely confined to academe, a few company web sites had been established. Since then e-commerce, social media, mobile and cyber-crime have emerged. Expectations amongst consumers concerning the management of their data, and even the concept that such data exists, have emerged. The GDPR has been written to protect consumers and others from such egregious breaches as Yahoo, TalkTalk and Standard Chartered. Something that has been drafted by fine legal minds to protect a vocal population against the negligence of those who have abused the trust that they have been given should be high on the agenda of every board.
GDPR is an update, but it greatly extends the scope, reach and penalty of the old Data Protection Act. The reputational damage of activists working with journalists, ravaging internet trolls and the consequent dip in revenue and profit is likely to be considerably greater. This is why it is not an issue for the cardigan-wearing troglodytes or geeks of your organisation or suppliers.
The GDPR is concerned with personal data, of which there are several sub-classifications related to impact. In most organisations, this is to be found in:
- Marketing, sales
- HR and personnel records
- Logistics and distribution
The scope includes sub-contractors who store and process the data on your behalf. You are accountable for their performance. Since the old Data Protection Act, there have been material changes in the rules concerning:
- Obligations to ensure that contracts between Data Controller and Data Processor comply
- An obligation to establish what personal data is held and where
- Consent and the uses to which data is put
- Geographic coverage and where data is stored, accessed
- Expectations of personal and corporate accountability
- The rights of an individual in relation to data that relates to them
- The penalties for non-compliance
These require review and validation that appropriate measures have been taken and are consistently applied. This requires a broad set of skills and gravitas to ensure that all those affected are taking all appropriate measures and a nose for risk. The GDPR recommends the appointment of a Data Protection Officer, requiring this for specified classes of organisation. The ICO publishes an Impact Assessment to help you.
The Red-Face Test
An organisation for which I once worked was severely affected by the loss by an employee of a material quantity of personal data owned by a client. They sacked the individuals immediately involved, including the partners accountable. The consequent root-and-branch review of client security management and practice was applied to every consultant. Measures for risk management were required to be conducted, recorded and reviewed for every assignment. The test that was often applied for a given situation was “how would you react if a journalist from a hostile tabloid paper were to call you with the challenge ‘is it true that you did …. resulting in …. without checking ….?’ Would you be able to explain yourself without going red with embarrassment?
If you would like to take this test for yourself today, print this letter, convene a group including CIO CMO, CEO, HR Director and a facilitator familiar with the regulation and role-play receiving such a communication. Would you be able to produce a credible response within the month permitted by the regulations? If not, you have until 25th May 2018 to get into a reasonable state. That is not long.
The Nature of Regulation
Most regulation has been developed in response to disaster. It would be nice to imagine that some was pre-emptive, it is just that the costs of implementation are so high for so many that change will only occur when there is a compelling reason to do so. What appears different about this one is the rate at which it has come about. In truth, the consultations around the EU directive on which each member state has written its law started years ago. The implications are still being worked out. In the UK, the Information Commissioner’s Office is the UK’s “Lead Supervisory Authority” (every other EU member state has appointed one too), charged with national implementation and guidance. Their communications are clear and comprehensible. The challenge is not in understanding the regulations, it is in making the fundamental changes in many aspects of the business and its suppliers to comply.
There are some aspects of this regulation that appear to give the regulated community (i.e. every organisation holding personal data) very little time to act. Most regulation is introduced progressively. It is in everyone’s interest to win people over to doing the right thing rather than just throwing the book at them. There is remarkably little court-time available. The difference with this regulation is that the initiative is less likely to come from the regulator turning over rocks, than it is that activists will bay for blood when convenient or spectacular issues arise. The origin of the regulation was aggrieved individuals and activists. Any organisation that is found to have sinned the day after GDPR becomes effective will be able to claim no public sympathy.
The USA has long been criticised for extra-territorial regulation. Recently, there is evidence of the EU moving to catch up. The scope of application of GDPR is all organisations serving EU citizens. It has nothing to do with the residence of the organisation providing the service. Pursuing some may prove a challenge. The Information Commissioner has pragmatically confirmed that the GDPR will be applied in the UK in full, regardless of Brexit. On 14th September 2017 the UK government issued a bill in the House of Lords to enact the GDPR.
GDPR and Outsourcing
Under the regulation (as under the Data Protection Act) there are definitions for the roles of data processor (commonly a service provider) and data controller. Obligations are associated with each.
A processor is required to maintain records of personal data and processing activities. They will have significantly more legal liability if responsible for a breach. A controller is responsible for establishing overall compliance including the management of data subject rights, that contracts with data processors are compliant and that the rights of data subjects can be supported within the time allowed. They must manage consent and ensure that it is validly gathered and complied with. Data that has fulfilled its original purpose must be deleted in accordance with policy. In many cases, this will imply change to existing outsource contracts and additional costs.
The rights of Data Subjects
There is now a provision that everyone has the right to the protection of personal data concerning him or her. The regulation introduces (or modifies) the following rights of data subjects in relation to the personal data held by organisations that relate to them:
- The right to be informed
- The right of access
- The right to rectification
- The right to restrict processing
- The right to data portability
- The right to object
- Rights related to automated decision making and profiling
These rights are likely to present challenges to organisations as there are time-limits for performance that where there is any scale, can only be reached with advance planning and the development of process, roles and responsibilities. There is no defence that 10,000 subjects have submitted the same request within days after a likely breach has reached the press. The development of an approach to containing the impact and responding to rights requests is likely to span the customer organisation, its IT and suppliers. As such, it represents a major change to most organisations that requires a coordinated response.
Hell’s Teeth and Buckets of Blood
The EU has developed a taste for attaching significant financial penalties to those causing commercial offence. First Microsoft and later Google enjoyed this attention. Some of the penalties for offences under GDPR have therefore been given real teeth. The greater of €10m and 2% of global (£17m and 4% for the UK) turnover applies to the failure of notification of breach to the supervisory authority within 72 hours and to the breach of a code of conduct for safeguarding data where that code is relied upon for compliance.
Expensive as these regulatory sanctions are, they are likely to be modest in comparison with the ire of social media, trolls and the press. Some of those who have suffered as a result of data breaches have learned to use these instruments to initiate boycotts (Starbucks Tax) as well as to drag corporate and personal reputations through the gutter. Those who have been seen to abuse trust suffer badly when they ask customers to trust them with their business.
The regulations are designed with the interests of consumers at their core. As such, few organisations have grounds to object and the smart will see potential to build trust within the community they serve, winning business and competitive advantage in the process. The road will be a demanding one; many struggle just to identify what data is held about whom and where. The regulation is demanding and is upon us. A smart and focused response is warranted. This needs to be coordinated across the organisation. The choice not to act is one with apocalyptic consequences.
This article is not legal advice.
This article was first published in Intelligent Sourcing, Issue 4 Winter 2017