Ready or Not, General Data Protection Regulation is Coming
Simon Ratcliffe Principal Consultant, Advisory
The General Data Protection Regulation (GDPR) entered into force 4 May 2016 and will enter into application 25 May 2018 after a two-year transition period. We are now over 35% of the way through this period but very few organisations can report similar progress.
As the GDPR is a Regulation, it does not require any enabling legislation to be passed by governments. The general intention is to strengthen and unify data protection for individuals within the European Union and addresses the export of personal data outside the European Union. In unifying the regulation within the European Union, Regulation will create a set of standards across Europe.
The scope of the Regulation applies where all data controllers or processors based in the EU and where the data subject is based in the EU. The Regulation also applies to organisations based outside of the EU if they process the personal data of EU residents. The breadth of this scope means that the Regulation will affect the majority of organisations in the UK and so changes will be needed within these organisations. Whilst there are still just under two years before the GDPR enters into application, there are many actions needing attention and it is recommended that organisations begin to look at this now.
There has been a lot of confusion and conflicting information around the impact of the GDPR and what actions are required or even whether it will come into force because of Brexit. This is not an attempt to unpick the detail of the GDPR but rather to establish some high-level actions and ensure that organisations are aware that there are actions they should be taking now. The GDPR is already in force and even though it will not enter into application for two years, it will enter into force whilst Great Britain is a member of the EU. On that basis alone, it should not be thought of as something that ‘may’ happen. It is happening and some actions are more effective if taken now.
When data protection regulations are discussed, many organisations immediately point to IT as the responsible element of the organisation, but with the GDPR, making this an ‘IT Project’ would be to miss the intent of the Regulation.
The accountability for the GDPR, as with all data security, must start with the Board. Ultimately the Board is accountable for the actions of all members of their business and for the systems used by those members, but too many Boards forget this and try to delegate their accountability to other aspects of the business, often IT. Responsibility can be delegated but the ultimate accountability may not be and the potential fines under the GDPR could easily wipe out a business.
Many of the GDPR seminars, presentations and papers have been aimed at the IT function and it seems that there is an expectation that IT will convey the implications of the Regulation to the rest of the business. Whilst IT will often be the mechanism by which some of the changes will applied, the accountability for the changes and the definition of which changes are required will sit with other departments.
The Board of Directors is ultimately accountable for the implementation of the requirements of the GDPR and it is strongly recommended that the Board of Directors of all medium and large organisations obtain advice on the implications of the GDPR for their organisation. The level of penalties that are capable of being levied under the GDPR for non-compliance can be severe with headline penalties of the higher of 4% of global turnover or €20m being capable of being levied for breaches (this compares to a maximum of £500k today). These enhanced penalties apply for a variety of breaches, including not reporting a suspected data loss within 72 hours of it being identified as possible.
Appointments Within Departments
There is also a requirement within the GDPR for the role of a Data Protection Officer (DPO) to be appointed within many organisations and this role must be a person with expert knowledge of data protection law. Whilst this does not have to be a dedicated role, or even a full time employee, organisations need to make provision for this role by the time of adoption. The DPO will be monitored by the regulator rather than the Board as they essentially act as a regulator within the organisation and so the appointment, education and on-going training of this person will be a considerable challenge to many organisations. It is likely that the most effective location for this role is within the Compliance or Standards function of an organisation rather than IT as expertise in data regulation is of paramount importance.
Sales and marketing functions are very important in the enacting of the regulations because the GDPR contains a requirement that personal data held by an organisation must be subject to explicit valid consent from the individual. Data controllers must be able to prove that individuals have explicitly opted in to the data being held which may cause significant work for many organisations as there are significant penalties for non-compliance. It is a requirement that all personal data (which would include contact data for an individual within an organisation) is only kept if the individual has explicitly consented to this. This data will extend to data retained by individuals within Contact Databases if this data is used to send marketing or other unsolicited information to the individual.
HR Departments are also potentially subject to a lot of scrutiny and change as the GDPR applies to all data within an organisation, including the Personally Identifiable Information (PII) of staff. HR Departments also hold CV data and job applications and all of this data is subject to the GDPR and, therefore, subject to the potential penalties.
Organisations with compliance, quality assurance or risk management functions also need to engage these staff quickly as there will be a new set of risks and responsibilities to review and assess as part of the preparation for the GDPR. Many of the risks can be mitigated through process adjustments and there will be a need to adapt many processes that include data collection, processing and management within organisations.
IT will have to act as well to support all of the other functions as there will be need for a lot of change in many organisations to protect the data held. Whilst traditionally IT has been delegated with data security, the GDPR means the involvement of many aspects of an organisation and full and proper awareness and communication is key. The GDPR should have been on the agenda of most medium and large organisations for several months now and if it is not being discussed and initial plans put in place then there is the possibility of a lot of change needing to be implemented in a very short period of time.
In essence, the GDPR means comprehensive change in many organisations, especially those that have not implemented a comparable level of data protection and data privacy before the regulation is applicable.