Update – GDPR has arrived
On 25 May 2018, GDPR came into force. Any company that does business with EU members needs to be in full compliance with the EU’s General Data Protection Regulation (GDPR). This requires them to take specific steps to more securely collect, store and use personal information.
For many organisations, time has run out.
At a personal level, most of us have been bombarded recently by a barrage of emails from companies begging us to “stay in touch” or “opt in” or informing us of a “policy update”. This is the tip of the iceberg of what companies are doing to make themselves GDPR compliant.
Some US organisations, including the LA Times, were not prepared and responded to the 25 May deadline by blocking European access to their sites.
However, there is a lot of evidence that companies have not been treating personal information with due care. At least 143m customers of the credit score agency Equifax were hit by a breach. Public trust has been eroded by breaches of privacy in the mass harvesting of data from Cloud service providers, as highlighted by the Facebook/Cambridge Analytica debacle.
GDPR has big teeth
Companies not meeting the GDPR this time next year face significant fines for indiscretions.
For example, NCC Group came up with a model that took fines actually imposed for privacy breaches by the UK’s Information Commissioner’s Office and calculated what they might be under GDPR. Under the model, British companies that were penalised for breaches last year could have faced fines totaling $112m AUD under GDPR, rather than the $1524m AUD they had to pay. That’s an order of magnitude larger.
Extrapolating the modelling.
- The 2016 fine for the data breach of Talk Talk seems small compared to what it might be under GDPR. Talk Talk got whacked last year with the biggest fine ever in the UK for a data breach $693,000 AUD. NCC calculated that Talk Talk’s fine under the GDPR would have been an eye-watering $102 million.
- Pharmacy2U, sold personal details, including medical related information, to a lottery company. It was fined $225,000 by the UK information commissioner in 2015. NPP’s modelling indicates that it would have instead faced a much steeper fine of $7.6 million under GDPR.
Those are large $$$, especially in light of a report from earlier this year by (ISC)2’s EMEA council, which covers Europe, the Middle East and Africa. According to the (ISC)2, companies aren’t doing at all well. The familiar mantra is
“Time is running out”.
The (ISC)2 EMEA council warned of what it sees as poor acceptance of accountability across organizations and an apparent belief that the task ahead is one for the specialists – either legal or technical.
Meanwhile, a recent report by UK company Crown Records Management found, nearly one in four UK businesses surveyed said they had stopped preparing for GDPR. In fact 44% saying they didn’t think GDPR would apply to them once the UK divorces the EU sometime in 2019 post Brexit. There are two problems with this line of thinking. Firstly, in the short-term, businesses will still need to meet the GDPR whilst the UK is part of the UK; and secondly, unless there is a complete change in trading relationships, the EU will remain the UK’s biggest export market.
SMEs are not immune
Another point of uncertainty for companies is about size. Unlike Australia. where there is effectively a privacy carve out most small companies, the GDPR requires that any company doing business in the EU more securely collect, store and use personal information. So, smaller companies face fines for violations that might occur.
That said, the regulation accounts for the fact that smaller businesses lack the resources of the big guys. The Bytestart UK small business portal gives some advice for SMEs on what they need to know about the GDPR. They make four points:
- Firms of a certain size (over 250 employees) must employ a Data Protection Officer (DPO). This person ensures that a business collects and secures personal data responsibly. Smaller firms may have to as well if “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects”
- Mandatory Reporting – Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but certainly within 72 hours.
- Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
- Failure to comply with the GDPR will lead to heavier punishments than previously. The GDPR will be able to fine up to 20 million Euros or 4% of annual turnover (whichever is higher).
Now that we’ve outlined what’s at stake, let’s look at some concrete steps companies that want to trade with the EU must take to be ready for 25 May 2018. Australian and New Zealand companies are in this boat, not only those in Brexit Britain. We’ve written previously about how the decisions in the EU and USA on privacy affect Australia. It is likely that this will be much the same.
Ireland’s Office of the Data Protection Commissioner has produced a checklist which is quite good. We’ve found this list to be particularly helpful with our clients.
- Become aware.
- Become accountable.
- Communicate with staff and service users.
- Protect personal privacy rights.
- Review how access rights might change.
- identify your legal basis for carrying out processes and document it.
- Ensure you are using customer consent as grounds to process data.
- Process children’s data extra carefully.
- Have a plan to report breaches.
- Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default.
- Consider data protection officers.
- Understand International Organisations and the GDPR.
How to approach GDPR compliance
GDPR is just another project. These are some milestones that your organisation might consider so that it can be ready for 25 May 2018
- Executive Support and Awareness in place
- Project Plan and Budget
- User Awareness
- Appoint a Digital Protection Officer
- Identify privacy information holdings
- Update Privacy Notices
- Revise Data Protection Policies
- Re-examine Information Sharing Agreements
- Develop and accept at an organisational level Privacy Impact Assessments
- Identify cross-border transfers
- Establish a Data Subject Rights Management protocol
- Ensure “Privacy by Design” is implemented into the Organisational Project Methodology
The EU has created a GDPR portal which gives a countdown until enforcement, and more importantly FAQs about how to prepare
There is a lot of guidance available from the UK Information Commissioners’ Office