Dire warnings about huge fines for businesses have been the up-in-lights feature of reporting about the European Union General Data Protection Regulation (GDPR), to the detriment of other aspects of it, including the responsibilities it places on organisations.
This includes a significant focus on transparency and accountability, and mandatory data breach reporting unless the breach is unlikely to result in a risk to those whose data is being processed. It also provides for enhanced rights for those whose data is being processed and for their right to compensation if their data is abused.
Experts on data protection and data governance have been in hot demand in recent months as some organisations still scramble to put themselves on a sound compliance footing by the time the regulation comes into effect on May 25th.
Dr Katherine O’Keefe of the Irish consultancy firm Castlebridge, says: “One of the biggest misconceptions I think that people have around data protection is that it’s a technology issue.”
The regulation is about trying to protect people and their human rights, she says.
“It’s not just a matter of making sure we have computer security – that’s a very important part of it – but it’s making sure [organisations] treat us as human beings with respect and making sure they have proper governance around what they are doing.”
She notes some confusion about aspects of the regulation, such as the misapprehension that it is “all about consent” and that this is the only basis upon which organisations will in future be allowed to process people’s personal data.
“Consent is an important part – it’s one of the legal ways that people can process our data when we allow them to do that, but there are several other legal processing conditions. It’s about making sure that you have a justification to process people’s data and that you have a clear legal basis for it and are able to explain and justify what you are doing.”
Pat Walshe, a UK-based data protection and privacy consultant, agrees that the notion that all processing will require consent is a common misconception about the regulation.
There is also a false assumption that the regulation applies to “EU citizens”.
“The GDPR does not refer to citizens – it applies irrespective of citizenship or nationality. This error may lead to organisations not properly understanding the territorial application of the GDPR,” he adds.
“For example, the GDPR will apply when an Indian-based company that processes personal data about people in India uses a data processor based in the EU.” This is, he says, one of the unintended consequences of the regulation.
Walshe says his own workload has increased greatly, “especially as companies realise that new-found ‘experts’ don’t have the necessary knowledge and experience to support them effectively”.
Many organisations, particularly SMEs, are concerned the regulation will add cost to their business.
Walshe says data-protection authorities are producing some great guidance for small and medium-sized businesses which will help reduce the costs of hiring external expertise in the first instance.
I’d urge every small-business owner to invest in a couple of good-quality shredders
All businesses will face the increased costs of compliance but that “the privacy of individuals should not be a cost”, he adds.
“SMEs need to be pragmatic and prioritise risky processing – which begins with simple questions such as ‘Will the collection/use of this data cause problems? Will it be kept safe and secure?’ – and so on.”
One of the other factors an organisation will have to consider is whether it must appoint a data-protection officer (DPO).
O’Keefe points out that this is a requirement for public bodies, and where the organisation’s core processing activities include “regular processing of sensitive personal data, or special categories of personal data as they are called now”.
If you are doing any sort of analytics regarding people’s behaviour, large-scale analytics, then you will need a data-protection officer
“So if you’re regularly processing anything to do with people’s health, people’s sexual orientation, people’s ethnicity, people’s religious or philosophical opinions, whether or not they’re a member of a trade union – anything revealing that type of information – if you are doing that regularly, you will be required to have a data-protection officer.
“If you are doing any sort of analytics regarding people’s behaviour, large-scale analytics, then you will need a data-protection officer.”
Jon Baines, chair of the National Association of Data Protection and Freedom of Information Officers in the UK, says he can “count on the fingers of only a few hands the people that I would trust to undertake the DPO role in a complex and high-risk organisation”.
“Finding the right person is not easy. Again, I would be looking for experience, as well as a detailed knowledge of law and practice. It would be great to have a regulator-approved DPO qualification/certification, but I don’t see any signs of that as yet.”
Asked for predictions on fallout from GDPR in the areas of litigation, enforcement, data subject rights and so on, Baines says there are angles lawyers will look at very carefully, and it is possible that almost any controller, or data processor, could get caught up in costly, “innovative” litigation as the dust settles.
He doesn’t see any particular appetite in the UK – and it is likely the same applies in Ireland – for any sort of “vigorous or novel” action by regulators on the enforcement front. They will, he suggests, look at compliance failings or achievements as aggravating or mitigating factors when deciding what, if any, sanctions to impose.
An increase in the exercise by individuals – data subjects – of their right to access their data is also predicted after May. Baines predicts there may even be some “concerted and mass campaigns”.
“However, I don’t think the increase will be as big as some have been predicting. It will be interesting to see how the regulators, and the courts, respond to such campaigns.”
It is also possible that almost any controller or processor might find itself faced with a complex and costly “right to erasure” request under the regulation, he suggests.
Another thing that emerges as a concern is the potential for inconsistency in how GDPR is enforced by data-protection authorities across the EU. While there is a so-called consistency mechanism – more often referred to as the “one-stop-shop” – providing for co-operation between data-protection authorities and the appointment of a single, “lead” authority, Baines says he is “far from convinced” we will see much consistency in how it is enforced.
“With such a broad and wide-ranging legislative instrument, it is very hard to see a smooth transition from currently widely diverging regulatory practices to a one-size-fits-all approach, and [secondly] GDPR itself provides for so many derogations, and latitude [allowing member states to vary their approach to implementation in a small number of areas of the regulation], that consistency will be defeated in many areas before it’s even started.”
One thing many organisations may not have taken into account in their preparations is Brexit. The UK becomes a “third country” for the purposes of data transfers from the EU after Brexit and there may yet be a long period of assessment by the European Commission before a decision on whether it provides an adequate level of data protection.
Awareness of GDPR ‘sadly lacking’
“While the bigger businesses might be aware and many have either done a lot of work on it, or are at least trying to address it, a lot of smaller businesses aren’t aware how it impacts them,” he says.
He has observed a lot of people trying to sell “GDPR-compliant” solutions, which “simply do not exist”.
Neylon says small business owners need to ask themselves questions about how they are collecting and handling personal data both physically and electronically. They need to look at what data they have, ask why they have it and whether they still need it, he adds.
“I’d also urge every small-business owner to invest in a couple of good-quality shredders,” Neylon says.
“Things like old mailing lists should probably be cleaned up or deleted. If you haven’t used the data for more than a year, why are you still keeping it? Remember if you don’t have the data it can’t be stolen or otherwise abused, which is one of the things that legislation like GDPR is aimed at preventing.”
Neylon notes many employers may also have electronic or physical copies of the CVs of prospective employees sent to them after they have advertised vacancies.
“You won’t be able to justify keeping them, so delete them and shred the physical versions if you’ve got them printed out. Other data you might have is simply not obvious. If you’re recording phone calls how long are you holding on to them?
“Remember the way the IT team organised those backups to save you from a disaster? You might need to check that they aren’t backing up tonnes of personal information that you really need to purge once you’ve finished with it.”