Privacy law is tightening up. Alongside high profile data breaches and cyber security attacks, legislators are raising the bar on protection of information about individuals. The EU’s General Data Protection Regulation will take effect in May 2018, giving businesses and organisations just over a year to get ready. And although the UK Government is pressing ahead quickly with Brexit, the indications are that the GDPR will apply as it is in the short term, and something similar well into the future.
Beginning the process of change can be a daunting prospect, especially for businesses and organisations that hold large amounts of data about individuals. Our research shows that the organisations that already have a GDPR plan are outnumbered by those that do not. We have found that starting with an audit of existing activity and safeguards can help in highlighting areas where work needs to be done. This, coupled with a programme of board-level awareness and training, can give an organisation confidence that it is taking appropriate steps and moving in the right direction for timely compliance.
Changes to data protection law
While many of the core principles will remain the same, the GDPR will bring in wide-ranging changes for data controllers. Some of them will make life easier – there will no longer be a need to register with national privacy watchdogs such as the ICO, for example. But many will be more challenging for organisations holding data about individuals.
For example, new concepts include data protection by design and default, requiring data controllers to build data protection in to their internal procedures, and their products and services. There are much tougher controls on the processing of sensitive personal data, with a list of conditions one of which must be met for processing. And where processing of such data relies on consent this must be “explicit”.
Obtaining a valid consent to processing will be more difficult than it is now, and records will have to be kept to show how consent was given. And data subjects will have expanded rights including to object to processing to restrict it, and an accompanying right to be forgotten.
What is the impact of Brexit?
UK Prime Minister Theresa May is sticking to her planned timetable – trigger Article 50 to kick off the formal process by the end of March 2017, with two years to negotiation terms of departure. The Government is ambitious to agree as much as possible of the post-divorce settlement within the two years, although many familiar with EU negotiations are sceptical as to what can be achieved in such a short time. In any event, the two-year process is likely to finish around April 2019, with the UK ceasing to be bound by EU laws at that point.
Does this mean that the GDPR falls away? Well, no. The Government plans to convert existing EU law into British law initially. What will be removed and altered will then be a matter for subsequent legislation. Current indications (recently confirmed in the UK’s Digital Strategy) are that the UK will stick with the GDPR initially, and develop its own law to provide a stable and clear framework that is deemed adequate by EU regulators. New Information Commissioner Elizabeth Denham emphasised the need for strong ongoing protection post-Brexit in her first speech in the role, explaining that “the aim here is not a data protection regime that appeals because it is overly lax or ‘flexible’”.
And the Government’s white paper on its negotiating objectives for Brexit says it will “seek to maintain the stability of data transfer between EU Member States and the UK” recognising that this will involve offering protection essentially equivalent to that offered in the EU in order to be regarded as a safe recipient for export of personal data. So stronger protection will be here to stay.
Where can I find out more?
The GDPR is a long and technical piece of legislation – not something many non-specialists will want to wade through as bedtime reading. The ICO and EU level watchdog grouping WP29 are working hard to produce user-friendly guidance for businesses and organisations.
As an introduction to the changes that need to be made, the ICO’s “12 steps to take now” is a good starting point.
More in-depth guidance on particular areas is becoming available. So far we have WP29 guidance on:
WP29 guidance will follow on consent, transparency, profiling, high risk processing, certification, administrative fines, breach notification and data transfers.
The ICO has recently published draft guidance on consent (open for consultation until 31 March) and is also planning to address contracts and liability.
What can I do to get ready?
You may already have developed an action plan and identified the steps you need to take. We find, however, that many organisations are still at the thinking and understanding stage. Working out where to start can be quite daunting. Some organisations that have personal data woven through their activities may not fully understand where all of that information is held and how it is managed currently. Getting a grip on that is an important first step.
- Data protection audits
A useful approach can be to use a detailed questionnaire across the organisation. This can include questions on what personal information is collected and about which categories of individuals. It can deal with the purposes for which the information is collected, methods of collection, data protection or privacy notices used, as well as addressing storage, processing and transfer of the data.
Breaking down the questions with sufficient granularity can help those unfamiliar with data protection law to understand what they need to provide. For example, setting out the types of information that may constitute special category (or sensitive) data in separate questions, such as sexual orientation, genetic or biometric data and political affiliations, can help respondents understand exactly what it is they need to provide. The information gathered in this way can then be collated into a report to inform strategy and next steps.
- Board-level training and awareness raising
Given the potentially very high fines that can be imposed on non-compliant organisations under the GDPR, data protection has moved up the agenda. Fines can be set at the higher of 4 per cent of annual worldwide turnover or €20 million for the most serious breaches. Privacy is also commanding more attention in the news, and breaches are attracting widespread adverse media attention with severe negative reputational consequences. Think back through the past year or so, and several examples come to mind. (Remember Tesco Bank, TalkTalk, Yahoo.) Even if an organisation has been hacked by criminals, the reaction of both regulators and the public has been unforgiving.
Training at board level, to explain the new obligations and highlight areas where an organisation may be at particular risk, will help an organisation be confident that it is developing the right strategy, as well as demonstrating seriousness about complying with its obligations.
- Contract review and updating
From May 2018, organisations that put personal data in the hands of their suppliers will need to ensure that their contracts include more detailed data processing provisions. This will apply to existing as well as new contracts, where those arrangements extend beyond the switch-over date. Many of our clients are asking for help to build GDPR-ready clauses into their contracts now.
- Updating consent and fair processing statements
Existing consents will no longer be sufficient after May 2018 unless they meet the more stringent requirements of the GDPR. Organisations will also need to ensure that they provide data subjects with more detailed information about their data processing activities. We are supporting a range of organisations in reviewing their privacy policies and consent mechanisms to ensure that they comply.
Getting serious about privacy is not just a legal requirement. As we all know, losing customer trust is easier to do than to reverse. Building a candid picture of what your organisation is currently doing with data about individuals, and understanding the direction it needs to take, is now a business priority. And breaking it down into manageable stages will help any organisation, large or small, to get it right.