As the countdown to the GDPR enforcement date ticks away, organisations are starting to get to grips with their data protection responsibilities. However, a common theme is emerging at conferences, in online discussions and at meetings – the challenges of finding the “right” answers.
Data protection law is not a checklist of actions, or a list of ‘do and don’t’ rules. It uses language such as “fair”, “reasonable”, “appropriate” and most commonly “risk”. This means that there is a lot of flexibility for decision-making. For an organisation which has not previously put in place infrastructure for risk management and data governance; such things can require a lot of work to implement.
Some organisations have settled on a “wait and see” approach to questions such as “when is it OK to use legitimate interests as a basis for processing?” or “who needs to have a statutory Data Protection Officer?”. Some are holding out for clarification from the regulator or industry, or even yet to be established case law, before making decisions on their data protection strategy. There is a lot going on in the world of data protection law at the moment, but time is passing quickly. Even if regulators and courts decide to be lenient on those who are grappling with uncertainty; data subjects – your customers, your employees and volunteers, your suppliers and beneficiaries – will still expect to have their privacy rights respected and their personal data safeguarded.
With that in mind, here is a list of things that we don’t think you should wait for – and what to do in the meantime.
Don’t wait for:
1. ICO guidance
The Information Commissioner’s Office has committed to publishing guidance on various aspects of GDPR, including the legal basis for processing, contract terms between Data Controllers and Data Processors and transfers of personal data outside the European Economic Area. However, the workload involved has already caused their schedule to slip, and it is unlikely that all of the guidance will be in place before the GDPR enforcement date.
The guidance published by the ICO describes their interpretation of the law, provides case studies or hypothetical scenarios to illustrate their position, and gives examples of what they would consider to be ‘good practice’. The guidance will not contradict the law, or bring any surprises to those who are already familiar with the data protection principles and obligations. The ICO have stated that.
Much of the ICO’s guidance will consist of the message: “make your own decisions based on what the law says, justify and document what you decide”. They will not issue prescriptive instructions and cannot anticipate every sector’s needs or possible scenarios.
The ICO’s guidance changes as case law develops. As with the subject access code of practice, the guidance becomes outdated as the technicalities of law are tested against real-life scenarios. However, the spirit and principles of the law do not change. If your data protection programme is aimed at truly respecting and protecting individuals’ rights and freedoms, then you are less likely to encounter problems with compliance. You should not find that the ICO’s guidance makes a significant difference to how you go about your business.
As a ‘friendly’ regulator, the ICO produces a lot of high-quality guidance and education materials on information rights, but this does not relieve Data Controllers of the obligation to understand and apply the law. It is unlikely that the non-availability of their guidance could provide justification for failing to plan, resource or carry out data protection improvement obligations – especially as so much of GDPR is similar to past data protection law.
Don’t wait for:
2. The GDPR enforcement date (25th May 2018)
The GDPR was agreed and became directly applicable across the EU in 2016. As with all new law, there was a ‘grace period’, to give everyone time to prepare before enforcement of the new rules began. In this case it was 2 years. This means that from May 2018, all Data Controllers are required to comply with GDPR and may face enforcement action or litigation if they do not.
It is estimated that many organisations will still be unable to demonstrate full compliance on this date, while some large complex organisations may have needed longer to prepare. Others have either only recently learned about GDPR or only recently started to take action to plan their compliance. However, data subjects and other organisations in the supply chain will be concerned about their rights and obligations, even if the regulator can’t pro-actively investigate and enforce against practices which breach the law. “We left it too late”, is unlikely to be a strong justification for failing to comply.
Don’t wait for:
3. New systems
You may be planning to bring in a new CRM, emailing platform or overhaul your IT systems entirely. That won’t give you a free pass when it comes to your organisation’s culture, change management procedures, incident logging or risk assessments. There is much more to GDPR-readiness than technology, so waiting for new systems before starting work on transformation makes it much more likely that something will trip you up in the interim. It is possible also that your shiny new system will need significant re-working, in order to mitigate the non-compliant practices that have built up over time.
Don’t wait for:
The UK Data Protection Bill is currently winding its way through Parliament and is intended to translate GDPR into domestic law, after Britain leaves the EU. At the moment, EU Regulations apply directly to all Member States. After Brexit, the UK will need to demonstrate a robust level of data protection in order for the EU to share data with us (this is called a “finding of adequacy”). The UK DP Bill (which will presumably be a new Data Protection Act, once finally approved) will be our way of demonstrating data protection adequacy to the rest of the world. It cannot contradict or undermine GDPR, otherwise we will fail the adequacy test; with serious consequences for economy, trade and national security.
The DP Bill does not mirror or copy the GDPR, it sets out how GDPR will be applied within the UK and addresses the parts which have been left up to individual nations to decide (called “derogations”). It will therefore not stand on its own, but sit as a layer between the UK and the rest of EU data protection law. Therefore, no matter what happens after Brexit, GDPR will still need to be understood, applied and upheld.
For most organisations, the differences between GDPR and the UK Data Protection Bill will be minimal, as the large part deals with law enforcement, national security and the intelligence services.
While there is some uncertainty around specific technicalities in GDPR, there is a large majority of the legislation which can be turned into action right away, without the need for guidance, case law, enforcement or UK-specific legislation.
1. Change organisational culture
Data protection should not be seen as an additional overhead to the day job, but as an integral part of the day job. Build privacy-awareness within the organisation and educate staff about the data protection principles, people’s rights and the need to build data protection considerations into all activities.
2. Identify governance and risk management responsibilities
No transformation or change programme can possibly succeed without sponsorship from the top levels of the organisation, and engagement at all other levels. There should be a senior-level individual responsible for driving the adoption of good data protection practices within the organisation, a designated point for reporting incidents and risks, and clear lines of authority for decision-making. Remember, the Data Protection Officer (or Data Protection Lead, in organisations that don’t require a statutory DPO) cannot single-handedly make an organisation compliant – their job is to advise, educate and report on data protection matters. Only the organisation’s management and staff, can actually do the work that’s required to meet the standards set out in GDPR.
3. Understand your data
Data is a critical part of every organisational process, but simply generating lists of filenames and databases is of limited value. You should start with understanding how your organisation operates, the activities it carries out and why these activities are necessary. This will allow you to identify purposes of processing personal data. When the purposes are identified, an appropriate legal basis for processing can be established. This exercise is critical for compliance with the new GDPR accountability principle, as well as providing useful information for later decisions about: how data subject rights should apply, what to put in privacy notices and how long to retain specific data sets.
4. Plan, schedule, allocate resources, prepare
The ICO recognises that not everyone will be fully GDPR-compliant by May 2018, but will expect to see strong evidence that any organisation that comes to their attention is taking action to meet GDPR requirements. This means, being able to demonstrate what work has been done so far, what has yet to be done, when it will be done and by whom. If you don’t already have a plan for GDPR preparation, now is the time to put one together.
Protecture works with organisations of all sizes and sectors, supporting them to prepare for GDPR, with up to date policies and other framework documents tailored to suit their needs, backed by on-going support, training and external audit.
For more information about how we can support you, please explore our subscription options, or call us on 0203 691 5731