The General Data Protection Regulation (GDPR) becomes effective on 25th May 2018. Those who assume that this is all to do with IT and Security are likely to have a rude surprise. Are you ready or is a serious threat hanging over you?
St John the Divine prophesied the Four Riders of the Apocalypse: Conquest, War, Famine and Death. For many directors today, the four riders are G, D, P and R. These are not just boring regulation for the attention of the deputy under-manager for Tedious Matters, they have regulatory teeth and in the hands of an informed activist with a grudge, are as sharp as the rider’s blade. They do not knock politely: these four break the door down when they come.
Data Protection
The EU issued GDPR on 27th April 2016 for implementation as an update to the Data Protection Act. The DPA became UK law in 1998. The internet was then in its infancy, a few companies had established web sites. Since then e-commerce, social media, mobile and cyber-crime have emerged. Expectations amongst consumers concerning the management of their data, and even the concept that such data exists, have emerged. The GDPR is designed to protect consumers and others from such egregious breaches as Yahoo, TalkTalk and Standard Chartered. Every board should review its provisions for compliance to such regulation, doubly so when it is to protect a vocal population against an abuse of trust.
GDPR is an update, but it greatly extends the scope, reach and penalty of the old Data Protection Act. The reputational damage of activists working with journalists, ravaging internet trolls and the consequent dip in revenue and profit is likely to be considerably greater.
Personal Data
The GDPR is concerned with personal data, of which there are several sub-classifications related to impact. Most organisations will find this in:
- Marketing, sales.
- HR and personnel records.
- Payroll.
- Logistics and distribution.
The scope includes sub-contractors who store and process the data on behalf of a Data Controller. The controller is accountable for their performance. Since the old Data Protection Act, there have been material changes in the rules concerning:
- Obligations to ensure that contracts between Data Controller and Data Processor comply.
- Establishing the nature and location of storage of personal data.
- Consent and the uses of data.
- Who accesses data, for what purpose.
- Expectations of personal and corporate accountability
- The rights of an individual in relation to data that relates to them
- The penalties for non-compliance
These require review and validation that appropriate measures have been taken and are consistently applied. This requires a broad set of skills and gravitas to ensure that all those affected are taking all appropriate measures and a nose for risk. The GDPR recommends the appointment of a Data Protection Officer, requiring this for specified classes of organisation. The ICO publishes an Impact Assessment to help you.
The Red-Face Test
I once worked for an organisation that was severely affected by the loss by an employee of a material quantity of personal data owned by a client. They sacked the individuals immediately involved, including the partners accountable. A root-and-branch review of client security management followed. Rigorous practice affected every consultant. Every assignment implemented measures for risk management. The partner in charge reviewed the results and assessed the risk of the data in the assignment. A required test was to ask “how would you react if a journalist from a hostile tabloid paper were to call you with the challenge ‘is it true that you did …. resulting in …. without checking ….?’ Would you be able to explain yourself without going red with embarrassment?
If you would like to take this test for yourself today, print this letter, convene a group including CIO CMO, CEO, HR Director and a facilitator familiar with the regulation and role-play receiving such a communication. Would you be able to produce a credible response within the month permitted by the regulations? If not, you have until 25th May 2018 to get into a reasonable state. That is not long.
The Nature of Regulation
Most regulation has been developed in response to disaster. It would be nice to imagine that some was pre-emptive, it is just that the costs of implementation are so high for so many that change will only occur when there is a compelling reason to do so. What appears different about this one is the rate at which it has come about. In truth, the consultations around the EU directive on which each member state has written its law started years ago. The implications for GDPR are still being assessed. In the UK, the Information Commissioner’s Office is the UK’s “Lead Supervisory Authority” (every other EU member state has appointed one too), charged with national implementation and guidance. Their communications are clear and comprehensible. The challenge is not in understanding the regulations, it is in making the fundamental changes in many aspects of the business and its suppliers to comply.
There are some aspects of this regulation that appear to give the regulated community (i.e. every organisation holding personal data) very little time to act. Most regulation is introduced progressively. It is in everyone’s interest to win people over to doing the right thing rather than just throwing the book at them. There is remarkably little court-time available. The difference with this regulation is that the initiative is less likely to come from the regulator turning over rocks, than it is that activists will bay for blood when convenient or spectacular issues arise. The origin of the regulation was aggrieved individuals and activists. Any organisation that is found to have sinned the day after GDPR becomes effective will be able to claim no public sympathy.
Extra-Territorial
The USA has long been criticised for extra-territorial regulation. Recently, there is evidence of the EU moving to catch up. The scope of application of GDPR is all organisations serving EU citizens. It has nothing to do with the residence of the organisation providing the service. Pursuing some may prove a challenge. The Information Commissioner has pragmatically confirmed that they will apply the GDPR in the UK in full, regardless of Brexit. On 14th September 2017 the UK government issued a bill in the House of Lords to enact the GDPR.
GDPR and Outsourcing
Under the regulation (as under the Data Protection Act) there are definitions for the roles of data processor (commonly a service provider) and data controller. Obligations apply to each.
A processor must maintain records of personal data and processing activities. They will have significantly more legal liability than before the regulation if responsible for a breach. A controller must establish overall compliance including managing data subject rights. It must ensure that contracts with data processors are compliant and that the timing obligations are met. They must manage consent and ensure that it is validly gathered and complied with. Data that has fulfilled its original purpose must be deleted in accordance with policy. This deletion requirement is particularly difficult and expensive to fulfil for many. In many cases, compliance actions imply change to existing outsource contracts and additional costs.
The Rights of Data Subjects
There is now a provision that everyone has the right to the protection of personal data concerning him or her. The regulation introduces (or modifies) the following rights of data subjects in relation to the personal data held by organisations that relate to them:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights related to automated decision making and profiling.
Organisations must satisfy several of these rights within defined and short periods from initiation. Where there is any scale, this is only possible with advance planning and the development of process, roles and responsibilities. There is no defence that 10,000 subjects have submitted the same request within days after a likely breach has reached the press. The development of an approach to containing the impact and responding to rights requests is likely to span the customer organisation, its IT and suppliers. As such, it represents a major change to most organisations that requires a coordinated response.
Hell’s Teeth
The EU has developed a taste for attaching significant financial penalties to those causing commercial offence. First Microsoft and later Google enjoyed this attention. Some of the penalties for offences under GDPR have therefore been given real teeth. A delay in notification of breach attracts a penalty up to the greater of €10m and 2% of global (£17m and 4% for the UK) turnover.
Expensive as these regulatory sanctions are, they are likely to be modest in comparison with the ire of social media, trolls and the press. Some of those who have suffered as a result of data breaches have learned to use these instruments to initiate boycotts (Starbucks Tax) as well as to drag corporate and personal reputations through the gutter. Anyone who abuses trust may suffer badly when they ask customers to trust them with their business.
Ride On
The regulations are designed with the interests of consumers at their core. As such, few organisations have grounds to object and the smart will see potential to build trust within the community they serve, winning business and competitive advantage in the process. The road will be a demanding one; many struggle just to identify what data is held about whom and where. The regulation is demanding and is upon us. A smart and focused response is warranted. This needs to be coordinated across the organisation.
………………………
This article is not legal advice.
A version of this article was first published in Intelligent Sourcing, Issue 4 Winter 2017