The GDPR has been in force for 12 months and the anniversary passed with much less fanfare than a year ago. What has happened and what has changed? Our MD, Howard Freeman looks back and discusses the last year, in the exciting world of GDPR.
A year ago, we were being bombarded with emails asking for our permission from businesses to send us even more emails! Everyone thought about updating their privacy notices. Some actually did update these, but not all. However, despite some poor and somewhat misguided coverage from the BBC and other media companies, the EU General Data Protection Regulation (GDPR) arrived on 25th May 2018.
Together with the Data Protection Act (DPA) 2018, the GDPR was to begin a new era where business would take the security of our data seriously The promise of heavy fines if they failed to do so, awaited.
What was the reality of this? One year on, what have we seen and what have we learnt? Has business made it their mission to become compliant? Who tried to achieve compliance on the cheap and who did not bother at all?
Leading up to the date when the GDPR came into force, the 25thMay 2018, there had been a frenzy of activity. The clearest example of this was technology companies all claiming to have the ‘silver bullet’ and this was very obvious at InfoSec 2018. There was a coffee stall who in a somewhat tongue in cheek manner, outrageously claimed to have GDPR Compliant Coffee! There is no single technology solution to complying with the GDPR.
No need to panic
Many comparisons were made to the Y2K so-called ‘bug’ where it was predicted the world would end and aircraft would fall out of the sky at midnight on 31stDecember 1999. Nothing happened then and the world continued to turn. On 26thMay 2018, the world didn’t end and we all carried on. Naturally, this led to GDPR fatigue, a problem exacerbated by the uncertainty of Brexit and complacency soon set in.
Many businesses see their data as their property, and they can do with it whatever they please. Businesses have invested time and money to build up this data and so it didn’t help when, after failing to gain consent caused by the flood of pointless emails leading up to enforcement day, such data was deleted. Making this problem worse was the arrival and subsequent disappearance of so-called experts. They lacked sufficient knowledge or qualifications, suggested deletion as the only option when this did not need to be the case. This was what we like to call risk dodging as they weren’t qualified to assess risk properly.
The Myths around Compliance
Many businesses have not fully understood the six data processing principles defined in Article 5 or considered their lawful basis for processing. They have very few policies in place and often neglect the need to train their staff on the Regulation’s requirements. Even if they do, they view training as a tick box exercise.
The extent of the GDPR’s requirements are often underestimated, and some organisations think it’s easy to ensure compliance without the support of a specialist. This DIY approach is, at best, dangerous and often involves the use of templates which themselves may have been designed by someone who did not fully understand either. Companies are required to ensure that their compliance project is led by somebody with specific skills, as defined in the GDPR, particularly with regard to the DPO or ‘responsible person’ role.
Financial services are by far the most advanced in terms of achieving compliance though IFA’s and groups of IFA’s often rely on a central ‘system’ but don’t have any proof of the compliance of such a system. They generally accept the providers word for it. Many IFA’s and group of IFA’s continue to store and process data oblivious to the risk they are taking and oblivious to their reputational risk.
The public sector has been quicker in adopting compliance measures than the private sector and by some distance. GDPR apathy is evident across all sectors though and in many cases, not up for discussion.
Data Breach Reporting
With the introduction of mandatory data breach reporting under the GDPR, a lack of compliance becomes most apparent when an organisation suffers a data breach.
No longer can organisations that suffer breaches cover them up and hope for the best. Now, data processors are required to report all breaches of personal data to data controllers In turn, data controllers are required to report breaches to the ICO within 72 hours of becoming aware of them. Data subjects must be notified without undue delay if there is a high risk to their rights and freedoms. Most organisations have no idea how to classify the severity of a breach or carry out an appropriate investigation. Many live in fear of having to admit to clients that their data has been compromised.
Breach reports increased significantly due to the fear of heavy fines. We hear all the time of cases being opened with the ICO that didn’t need to be. This has caused a severe delay in response times from the already overworked ICO.
However, apathy is also apparent. We deal with a lot of cases where an email account has been hacked and not dealt with properly. The provider will normally clean up the mess, but small business doesn’t seem to want to tell clients that the contents of their email may have been stolen.
Many businesses do know they must report but many don’t want to risk it due to possible reputational damage. However, business is not seeing fines issued by the ICO. Therefore, the GDPR challenge to bring businesses to compliance is harder as they see it as not real and the belief that fines will never happen, at least not to them.
Safeguarding Personal Data
It is vital for organisations to limit access to personal data and to encrypt it. Security controls need to be implemented and validated. The Cyber Essentials Certification is security best practice to help achieve this. ISO27001 for information systems is also a vital certification.
Supply Chain Compliance
Many people believe that a data processor cannot be as liable as a data controller. A recent GDPR fine in Italy has proven this to be incorrect. The data processor operated the so-called Rousseau platform that operated a political web site, plus affiliates. The fine of 50,000 Euros was not against the Data Controller, in this case the Movimento 5 Stelle political party, but the data processor, the Rousseau association.
Many organisations do not consider their supply chain but, when doing so, a non-complaint supplier may have to be replaced which, can be difficult and expensive. The use of supplier questionnaires is increasing but once returned, what happens next? Training on how to assure your suppliers are taking data protection seriously is important and its value not underestimated. Very few businesses carry out an audit of their supply chains and this has to change. This change must begin in the boardroom.
The Information Commissioners office is an often feared ‘bad guy’ or a help line for businesses who believe they have had or are having a data breach and need guidance. In the same way that going to A & E with a minor injury, calling the ICO for every incident is not why they are there. Yes, there will be some guidance and re-assurance but, once the problem appears to be solved, the caller and their business relax back into mis-guided non-compliance. Until of course, the next time, when the level of understanding won’t be quite as warm.
The ICO does want to be notified about breaches where the rights and freedoms of people are at risk. This must be carried out within 72 hours. What is the best way to do this? How much information is needed? Preparing such a declaration is complex and needs a clear head and no emotional involvement. If you think this is a plug for our breach management service then, you would be right. The benefit of an external organisation taking a view is a much better way of assessing what should happen next. This is will allow the organisation to carry on with it’s business whilst we examine the incident. If the risk is low, then perhaps no report will be required. Internally, a report will be required as it is vital to understand what has happened and what measures can be put in place to prevent a repeat.
How do we help with reporting?
I often ask business, “if you had paid too little tax, would you call HMRC?” No, you probably would not. Most likely you would contact your accountant and leave it with them to resolve. After all, that is what you pay them to do. Some might say nothing and hope to get away with it. A head in the sand strategy never succeeds.
We like to consider ourselves to be offering the same vital service as an accountant, just in a different area of compliance.
GDPR made simple
Our team can help you no matter how much or how little work you have done towards GDPR compliance. Be it guidance, clarification, an audit or even just a chat, we are here to help you. Perhaps it is our Data Protection Officer as a service, Breach Management Service or our DSAR service or taking you through to full compliance, then we would be happy to talk.
We are a full-service company that will deliver the policies and procedures we agree with you. As a consultancy, we don’t sell packaged training courses, books or software tools that leave you to do all the work. We want you to be able to get on with running your business. Whilst you are doing that, we help you achieve and maintain regulatory compliance.
The next 12 months
Brexit will or won’t happen. That much is very clear, or unclear following the European Election results that came in on Sunday. By October, the UK will have left the EU or Article 50 will have been revoked. GDPR will stay no matter what, as the UK Government has always stated that this will be the case. Leaving the EU will not allow organisations to dodge the issue.
The ICO will continue to guide but whether fines for small businesses will begin, is debatable. Crippling a small business and seeing a dozen people lose their jobs through no fault of their own is politically dangerous but, it would send a very clear message.
Implementing Cyber Essentials and GDPR Compliance in a business must continue. However, it must increase if Personal Data Breaches are to be prevented. Where they happen, management of the process and better outcomes for those whose data is lost.
What we will see is the rise in legal activity. BA is being sued for their now infamous data breach. Ticketmaster is facing a £5million law suit on behalf of 650 claimants following a data breach. It is claimed that victims suffered ‘multiple fraudulent transactions’ and ‘significant stress’. Such claims are only the beginning. Don’t be a victim…