This week sees the arrival of the General Data Protection Regulation (GDPR) which iterates on the EUs existing data protection law. The emphasis is to safeguard EU citizens private information.
I am not a fan of government regulation per say and need I provide any examples other than the EU rules which have required websites since 2012 to tell users what cookies are being placed on their machine typically through a pop-up window seeking consent. This was a naive approach and only makes the end user experience more frustrating.
Self-regulation is ideal but a recent admittance by the UK culture secretary Matt Hancock admitted that when he called in representatives of 14 leading Internet companies to discuss his ideas, only four turned up. This was related to new legislation to clamp down on social media firms and basically highlights how such consultations can fail when it is not in the interest of the companies who gain the most by being less regulated.
GDPR has ushered in a new era and the public is finally seeing the need for cyber security and compliance. There are even GDPR jokes, I particularly like @sharondea’s tweet
My mum is leaving it awfully close to the GDPR deadline to ask if I want to opt in to receive her emails, calls and texts.
— Sharon O’Dea (@sharonodea) May 15, 2018
There are many myths however out there too. For instance, much of the discussion mentions the maximum fine of 20 million Euros or 4% of global turnover however in reality, European data protection agency enforcers will most likely serve warning notices first that a company is not operating in compliance with GDPR. This should allow companies to conform and then if they ignore the directives, fines will be issued in proportion to the transgression. Repeated transgressions on the same subject will result however in increasing fines. I do expect to see large fines but those who are fined will clearly be in contravention of the spirit of GDPR. Companies who unwillingly (even if not a defence) will not suffer as large a fine as those who try to be contravene the GDPR spirit in a sly manner. The spirt of GDPR is that any data collected on us should be accurate, protected and available to individuals to collect, move, delete, modify and view and that they should only collect what is necessary. In other words, companies should not capture too much and not treat it lightly.
Others believe it opens the door to allow an avalanche of law suits but that is something which can happen to any business without GDPR. Yes, GDPR does allow individuals to contact their regulators and to complain if a company ignores their requests, however data protection authorities actually function as a clearing house thus removing some of the burden on companies for idiotic requests.
In fact, the sad part is that companies are seeing this as a new requirement when actually GDPR has been in effect for two years and the European Data Protection Directive (DPD) has been in effect for over 20 years. The burden is also proportional to the amount of data held, the number of employees in a company and the type of data held. So, big companies holding large amounts of sensitive data will need to expend much more resources than a small company with non-sensitive data.
GDPR should make data safer. GDPR encourages good security practices. GDPR now makes privacy by design a key legal requirement. It also makes Data Protection Impact Assessments (DPIAs) mandatory in certain circumstances where data processing is likely to result in high risk to individuals’. It simply encourages data security experts to sit with non-technical staff to map out how to ensure data is treated in accordance with GDPR. That is common sense but rarely practiced to date.
Aspects businesses can do to ensure they are able to protect user data once GDPR kicks include making sure management know about the impact non-compliance with GDPR can have; documenting personal data held, its source and who it is shared with; privacy notices reviewed so they are in clear, concise and fair; examination of how subjects can access data should they request it; Revision of procedures for ensuring data portability; identification of the lawful basis for processing activity in the GDPR; examination of how user consent is obtained being aware that consent must be freely given, specific, informed and unambiguous; Ensuring procedures are in place to verify individuals’ ages and get parental consent for any data processing activities if needed; Updating procedures to detect, report & investigate any personal data breach and determination of lead data protection supervisory authority if your business operates in multiple EU states.
GDPR is not perfect. For instance, it is quite vague on which size a company needs to be to take certain measures (which differ with company size) and it seems to have missed the issue surrounding blockchains and the right to erasure. These are not show stoppers however.
In short, cyber security should improve as companies are being forced to pay more attention to best practice in securing data. GDPR now put a duty on organisations to report specific data breaches to the ICO, and in certain circumstances to individuals e.g. if a breach is likely to result in a high risk to the rights of individuals. Large organisations also need to create policies/procedures for managing data breaches. The role of Data Protection Officers (DPOS) who take responsibility for data protection compliance will help. There are many rules in place to ensure they are not restrained by management and can act with authority. What GDPR does is force companies to adopt security practices that many good security aware companies have been practicing for some time. This law is fair. It is wise and the only ones who could really disapprove or those who seek to abuse our data and use us as the product.
There is a guide to the GDPR which explains the provisions of the GDPR to help organisations comply with its requirements at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
This includes links to relevant sections of the GDPR itself, to other ICO guidance and to guidance produced by the EU’s Article 29 Working Party. There are also a number of tools to help organisations to prepare for the GDPR.
There is also GDPR for Dummies by Russell & Fuller https://www.metacompliance.com/gdpr/gdpr-for-dummies/ which helps prepare your team for GDPR compliance and how to put in place a Privacy Management programme along with the importance of a Privacy by design mindset.