New rules for protecting European citizens’ personal data are now enforceable by law, and organisations are being advised to focus broadly on commitment rather than narrowly on compliance
As the compliance deadline for the European Union’s (EU’s) General Data Protection Regulation (GDPR) is reached and the GDPR-aligned UK Data Protection Act 2018 goes into force, experts say organisations should ensure they can demonstrate long-term commitment to data protection.
Commitment to data protection in terms of the GDPR framework is what European data protection authorities are going to be looking for initially rather than strict compliance, according to legal experts, which should come as a relief to any organisations still panicking about not being compliant in time.
Countless surveys have been published in recent weeks about what proportion of organisations in various sectors expect to be compliant by the deadline, but the emphasis is going to be on commitment to data protection in the longer term, as indicted recently by Nigel Houlden, head of technology policy at the Information Commissioner’s Office (ICO).
“GDPR is not another Y2K where the issue disappears after compliance deadline on 25 May 2018,” he told the TechUK Cyber in the digital economy conference in London.
Houlden also highlighted one of the ICO’s key messages around the GDPR that businesses can use the framework to drive better cyber security and thereby build consumer trust for competitive advantage. “It is meant to be about strengthening citizens’ rights and can be used as a badge of honour,” he said.
The business benefits of improving data protection capabilities, said Houlden, should be as big a driver as the GDPR’s punitive actions and fines of up to €20m (£17.5m) or 4% of global turnover, whichever is greater.
The ICO has emphasised that it prefers supporting organisations to enable them to comply, but that it has also made it clear that it will use the new powers granted by the GDPR if and when necessary.
“Hefty fines can be and will be levied on those organisations that persistently, deliberately or negligently flout the law,” said Houlden, adding that there are several other punitive actions at the ICO’s disposal, including the power to order companies to stop data processing, which could have even greater impact on a business than a fine.
ICO’s post-Brexit role
That said, the ICO and other data protection authorities are not expected to move to enforcement action any time soon, allowing time for the new powers, processes and regulations to bed in and become familiar to stakeholders.
The first month at least is likely to be focused on the European Data Protection Board (EDPB) establishing itself as a very important body in terms of coordinating the enforcement actions of regulators and asserting its authority, according to Eduardo Ustaran, partner and European head of data protection at law firm Hogan Lovells.
“Consolidating the role of the EDPB, which will replace the Article 29 Working Party and will be even more important, will be one of the priorities for regulators,” he told Computer Weekly.
“UK organisations can expect the ICO to continue to be reasonable in terms of understanding the challenges of compliance, while at the same time being firm about the need for commitment rather than compliance from day one, which is the key message from the regulator’s perspective.”
The ICO has indicated that, post-Brexit, it plans to continue to play a full role in EU institutions and maintain influence and strong working relationships with the members of the EDPB, however it remains to be seen whether the ICO will have a seat on the EDPB with full voting rights or assume some other relationship.
The proposal notes that the ICO is the largest data protection authority in the EU, that it is recognised by other European data protection authorities as a well-resourced and highly valued centre of expertise, that it plays a “leading and influential” role in EU policy development, and it is an effective enforcer of EU rules, with a strong record of independence.
“The ICO is deeply committed and embedded in the EU regulatory community. And that is the message I’ve been giving to parliamentarians when giving evidence to committees looking at the implications of Brexit,” information commissioner Elizabeth Denham told the recent IAPP Data Protection Intensive conference in London.
Nailing the essentials
At a national level, Ustaran said it is already clear what regulators are prioritising. “This includes things that are regarded as more intrusive in terms of privacy, such as the use of data on the internet, new tracking and location technologies,” he said.
“It also includes the things are visible, such as privacy notices, mechanisms for obtaining consent for marketing and techniques used to gather personal data on the internet.”
Ustaran added that in the event of a complaint, the regulator is only “a few clicks away” from finding out if an organisation is compliant with GDPR requirements or not.
While demonstrating a commitment to data protection is a good general strategy rather than worrying about strict compliance, which is “not the right approach”, Ustaran said organisations should focus in the short term on ensuring they have “nailed the essentials”, because failure to do so is highly visible to regulators.
These essentials, he said, include things such as ensuring organisations have clear lawful grounds for data processing, that their data processes are transparent, and that they are meeting all their accountability obligations.
With or without guidance, the law is the law and must be recognised
Eduardo Ustaran, Hogan Lovells
Ustaran also advises against waiting for guidance before taking action. “With or without guidance, the law is the law and must be recognised,” he said.
There are some aspects of the GDPR which are not entirely clear, such as the limits of legitimate interest, and will become clear only in time as the issues are debated and the new rules are applied by regulators, but Ustaran emphasised that this should not be used as an excuse by organisations to delay taking action to meet clear regulator expectations around the key requirements.
Ustaran praised regulators such as the ICO for the work they have done to demystify the GDPR by producing guidance on key topics and principles, but said there is “a lot of new stuff” that has to be learned and understood, and that some areas such as data protection by design and by default have not been given enough attention to help organisations to understand what that means in practice.
“It is important for organisations to ensure they have all the practical policies and procedures for data protection that have to be in place and implemented, including data protection impact assessments, which should be a top priority,” said Ustaran.
Dawn of a new era
It is also important that organisations ensure that they are ready to report data breaches because a failure to do that correctly is “very visible” and “potentially very damaging”.
However, Ustaran reiterated the view that 25 May 2018 is not the finishing post, but rather the starting point of a new era in data protection and privacy under the GDPR framework, which requires an ongoing commitment by all organisations that collect, store and process personal data.
“Organisations need to think of the GDPR as a long-term exercise because it is going to take years for everyone to really understand the issues and be fully compliant,” he said, adding that many organisations are still struggling to come to grips with aspects of the GDPR that have been part of existing data protection laws for quite some time.
Commenting on new UK data protection legislation, information commissioner Denham said: “The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018.
“Effective data protection requires clear evidence of commitment and ongoing effort. It’s an evolutionary process for organisations. No business, industry sector or technology stands still. Organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018,” she wrote in a blog post.
Just days to go before the compliance deadline, Louise Byers, head of risk and governance at the ICO emphasised that information records management, collaboration and communication are key in helping organisations to be GDPR-ready.
Attention to these three areas will mark organisations out as data protection leaders, she told the IRMS Annual Conference 2018.
“Good records management is the starting point for everything. You know what you have got, why you have got it and who made you have it. You need to make sure that when processing is based on consent, ensure those records are kept and that withdrawal mechanisms are clear and easy for people to use. And, document when and why you made decisions for the future,” she said.
In terms of collaboration, she said securing senior buy-in is crucial. “Identify your accountability framework with clear roles and responsibilities within the organisation and then tell people who they are. Make sure you work with all parts of the organisation to identify suppliers, this will help with privacy notices and contact clauses.”
On the topic of internal and external communications, Byers advised data protection officers to work with all areas of the business to deliver strong communications around the importance of compliance and breach reporting. “Work with project managers, communications departments and other areas to promote privacy-by-design,” she said.
