Following the approval of the new General Data Protection Regulation (GDPR), businesses must be prepared for a new set of standards surrounding data processing. Although there remains a two-year lead in period, organisations must begin work now if they are to meet the regulations. Crucially, businesses must be able to distinguish between fact and fiction when it comes to deciphering what impact the GDPR is likely to have going forward. Making sense of the mixture of speculation, misunderstanding and erroneous interpretations could mean the difference between success and failure when it comes to complying with the ruling.
[easy-tweet tweet=”Despite the two-year lead in period, organisations must begin now if they are to meet new #GDPR standards”]
Lisa Dargan, Business Development Director for Ultima Risk Management, has taken a look at some of the GDPR myths already circulating and what impact the legislation will really have on your business.
Myth 1 – You must appoint a qualified, independent Data Protection Officer (DPO)
Not true.
It was strongly suggested that the GDPR would require every organisation with more than 250 employees, or processing in excess of 5,000 personal data records, to appoint a Data Protection Officer. However, this proposal was removed from the legislation at the drafting stage. Instead, Section 4 of the GDPR states that DPOs are required if you are:
- a public body
- a private sector controller whose core activities involve ‘regular and systematic monitoring of data subjects on a large scale.’ (Notice that what constitutes “large” is open to interpretation.)
- a private sector controller whose core activities involve the processing of special categories of personal data (i.e. sensitive information).
Businesses should also be aware of the importance of an independent DPO. They can still be an existing employee, but they must have an independent reporting line, and directly report to the Board without interference. They should also have a thorough and up-to-date understanding of data protection law if your businesses is to meet compliance standards.
Myth 2 – I am an SME, so the GDPR doesn’t apply to me
Not true.
The GDPR applies to all businesses ‘engaged in economic activities’ that involve the processing of personal data. Although there are some exemptions for micro and small businesses when it comes to record keeping, SMEs still need to be aware of the new ruling. Smaller firms may be working with large customers and so will need to ensure that the relevant data is managed appropriately.
Myth 3 – I’m acting as a data processor– my customers, as the data controllers, can deal with the difficult stuff
Not true.
Over the next two years data controllers will need to review all of their supplier contracts to ensure that they meet the new regulations, but data processors also have direct responsibilities under GDPR, including a requirement that they (or their representatives) maintain a record of processing activities including:
- The name and contact details of the processor or processors, or where applicable, the processor’s representative
- The name and contact details of each controller (or the representative) the processor is acting for and their data protection officer
- The categories of processing carried out on behalf of each controller
- Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of appropriate safeguards (e.g. contractual clauses within inter-company data transfer and sharing agreements based on risk assessments etc.)
- Where possible, a general description of the technical and organisational security measures the recipient of the transfer has implemented
- The records need to be in writing, including in electronic form and made available to a supervisory authority on request
Myth 4 – I encrypt my personal data so there’s no way I’ll get fined
Not true.
Security is important, but fines can be issued for failure to meet data controller/processor obligations, as well as security breaches. Regulators can impose penalties of between two and four per cent of annual turnover, depending on the severity of the infringement. Some considerations taken into account before issuing a fine include:
- The nature, gravity and duration of the infringement
- The purpose of the processing concerned
- The number of data subjects affected
- The level of damage suffered by data subjects (including infringement of their rights)
- Whether the infringement was intentional or negligent
- Any action taken by the controller or processor to mitigate the damage suffered by data subjects
- The degree of responsibility of the controller or processor, taking into account technical and organisational measures implemented
- Any relevant previous infringements
- The degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects
- The categories of personal data affected by the infringement
- The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, they were notified
- Whether any previous measures ordered against the controller or processor relating to the same subject-matter were complied with
- Whether approved codes of conduct or approved certification mechanisms were in place
- Any other aggravating or mitigating factors such as financial benefits gained, or losses avoided, as a result of the infringement
Encryption will not solve all your problems. You will also need to consider ‘organisational and technical’ measures, not just in relation to security management and data protection, but potentially in terms of documented privacy impact assessments. These are now mandatory where new processing operations are likely to result in a high risk to the rights and freedoms of data subjects. Businesses should also ensure that they have a thorough governance and compliance regime in place in order to ensure their accountability obligations are met.
In response to the GDPR ruling, data processors and controllers need to think ahead and prepare for the coming impacts on their IT infrastructure. Is your business able to:
- Identify where personal data is stored, processed and transmitted by utilising data discovery and data audit tools
- Record how consent for processing personal data was obtained, who it was obtained from, who it has been shared with, whether it has been changed, its accuracy disputed and approval for disclosure under data sharing agreements (internal, external and inter-company)?
- Do your applications/systems developers understand the GDPR implications?
- Are you preparing to perform documented privacy impact assessments and criteria for prior consultation with data protection authorities as part of your compliance regime?
- Are your applications/systems able to support the GDPR data deletion requirements?
- Are you planning application changes to support the new rights of data subjects to receive copies of their personal information in common (interoperable) electronic format and/or forward that data to another entity (portability)?
- Are you proactively talking to your software suppliers, service providers and data processors? Have you identified them and planning contract reviews? Are you a data processor or software solutions provider?
- Will your incident management and investigation procedures enable compliance with data breach notification obligations, to notify supervisory authorities where necessary within 72 hours? Are you considering what, how and when you may need to notify data subjects that a breach has occurred and what assistance you will provide them?
- How will you review online privacy information notices and achieve online consent? How will online consent translate into recording that consent and subsequent withdrawal of consent trigger potential data erasure?
- How will the data erasure/portability requirements impact your current data retention and archiving arrangements?
- What resources and support will you need for your GDPR reform project?
Myth 5 – The GDPR will not be relevant if we leave the EU, so businesses should wait before acting
This is not an advisable approach to take. If the UK remains in the European Union, the GDPR will supersede the UK Data Protection Act, but if we leave, the complex withdrawal process could mean that the UK is forced to implement similar legislation in order to comply with the EU rules. The free flow of information will remain vital to the success of UK businesses whether they are based in or out of the EU, meaning that organisations are better off complying now, before it’s too late.
[easy-tweet tweet=”The free flow of information will remain vital to UK businesses whether they are in or out of the EU” hashtags=”EUref, GDPR”]
For further guidance on how to comply with the GDPR, the Information Commissioner’s Office has published guidelines via it’s new micro-site: https://dpreform.org.uk/.
Lisa Dargan, Business Development Director, Ultima Risk Management
Lisa Dargan is a director at Ultima Risk Management (URM), one of the UK’s leading information security and risk management consultancy and training organisations. Having worked in the IT and information security marketplace for over 20 years, Lisa has accumulated a wealth of experience assisting private and public sector organisations of all sizes to improve their information security and cyber security working practices as well as meeting data protection legislation.
Lisa is skilled at helping organisations develop appropriate and pragmatic approaches to securing their information and is one of the UK’s leading practitioners in implementing ISO 27001, the world’s preeminent international management system standard for information security.