So, it’s a new year and GDPR comes into force this year – May 25th, 2018
to be exact!
In the interest of being ready to tackle the year head on I thought I would write an article on the dreaded GDPR! I’ve read a lot around GDPR, been to various seminars and it’s interesting to hear the different interpretations. It’s also interesting to see how some make it sound so much more complicated than others. Here’s my attempt to make sense of it all!
Data protection is nothing new and goes all the way back to Winston Churchill! We’ve had data protection regulations for a long time (the Data Protection Act (DPA) came into being in 1998). Although there’s been updates along the way (and we also have laws like the privacy laws), we’ve been long overdue a real overhaul of the regulations and this really is necessary, particularly when we consider how far the internet and connectivity has come since 1998, along with the evolution of smartphones, apps and social media (Twitter was introduced in 2006 as was Facebook (2006 to the public) – long after DPA was first introduced). Essentially, it’s here to protect us better!
GDPR is a regulation intended to strengthen and unify data protection for all those within the European Union (it applies to all Member States of the EU) – what will happen after next year you say? Well, we don’t know for sure yet but my personal opinion; probably not too much. That’s because GDPR also applies to any company dealing with data from any country within the EU. This means that if your company is outside of the EU but deals with people in the EU, you will be subject to GDPR.
On that subject, if your organisation deals with the US, you’ll need to look at privacy shields (the US does not have privacy laws). It’s a good point to note that if your organisation has dealings with foreign countries and/or has employees in other countries, you might want to get on with your GDPR assessments as any changes will have to go through employee reps, unions etc in their own countries – it can be a slow process, so get started now!
There are some simple questions to start with when considering GDPR
- Where do you store data?
- Where/who do you collect data from?
- How do you use data?
- When do you delete data?
Once you’ve answered these questions, you’re in a good position to do a risk assessment.
There is no GDPR product that you can buy and have done with it, GDPR is about reviewing what is currently in place, assessing risk and taking any necessary actions. You must be aware of where your data resides and what your risk exposure might be. It’s also about good IT security and staff training – something that is often forgotten about!
Another key point to review that is often overlooked is around data attacks. Most companies have processes and systems in place for external attacks (or sometimes called cyber-attacks) but what about internal attacks?
A good case to illustrate this point is Morrisons. The High Court found that WM Morrisons was vicariously liable for a malevolent employee (an internal auditor) who disclosed personal data of approximately 100,000 employees on a file sharing website. The employee had a grudge against his employer and wanted to cause reputational and financial damage (he succeeded). He got sentenced to eight years in prison. Another result of his actions was that about 5,500 of the 100,000 employees brought a claim against Morrisons, citing breaches under the DPA (1998). The court was satisfied that Morrisons had appropriate measures for keeping information secure and had acted swiftly upon being informed of the breach, (and therefore the claim was not successful on this point), however the court held that Morrisons were vicariously liable for the actions of this employee.
This second point presents a great difficulty for employers as there seems to be little that Morrisons could have done differently in this case. Morrisons are able to appeal the point about being vicariously liable but if it is not overturned, it could be very costly for them. This case really highlights the issue of internal data breeches – what do you have in place to stop this from happening? This case, along with the upcoming GDPR, are clear indicators that data protection and cyber security should be at the forefront of organisations' priorities and risk management strategies. So what should you be thinking of?
- Get everyone on board (Make sure everyone knows about GDPR – Owners, Directors, boards – they all need to be aware)
- Have a plan (Timelines, regular audits)
- Risk Assessments (also look at Privacy Impact Assessments – Guidelines on the ICO website)
- Invest in technology (Make sure it’s up to date)
- Contracts revised (Do contracts need a sentence on GDPR adding?)
- Training & Education (Be able to demonstrate staff are trained in cyber security and data protection)
- Crisis / breech plan (Just like you have a fire plan, what do you do if you are breeched?)
If organisations cannot demonstrate that they have GDPR-compliant technical and organisational measures in place to prevent data breaches, they may be liable to GDPR-level fines combined with compensation claims for direct and/or vicarious liability.
Some other things to consider:Data Protection Officer
If you have over 250 employees and/or you’re heavy on data processing, then you’re going to need a dedicated Data Protection Officer. From what I’ve heard, this is a job to outsource unless you have someone with the right qualifications as this person will have a great deal of responsibility and/or liability.Secure Systems
Good systems and good security systems are also at the heart of GDPR. It’s important to ‘stress-test’ systems to ensure they can cope with attempted breeches. All systems need to be kept up to date - sounds simple but often people forget how quickly things go out of date and/or it’s just not a priority. Take TalkTalk: a big Company who fell foul of this when they had a data leak, resulting in a £400,000 fine (they have actually had more than one cyber attack over the last few years). It was found that their systems were old and outdated and essentially, they had done nothing about it. Information Commissioner Elizabeth Denham said: “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action”
This fine would have been significantly more had GDPR been in place.
Penalties for non-compliance can be steep so it’s important that you know what is expected and that you have the necessary measures in place. Fines will be based on turnover not profit. 20 Million Euros or 4% of global turnover (whichever is greater). There is a lesser fine of 10 million Euro and 2% of global turnover. Organisations face the very real prospect of going out of business with these types of fines.Data Controller & Data Processor
It is also important to note that under the GDPR regulations, both the Data Controller and the Data Processor are now both liable. For clarity, please see definitions below:
Article 4(7): Data Controller: ''controller' means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union law or Member State law, the controller or the specific criteria for his nomination may be designated by Union law or by Member State law;'
Article 4(2): Data Processor: ''processing' means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;'Deleting Data
GDPR also tackles the issue of holding onto people’s data. People have ‘the right to be forgotten’. Employers need to delete and get rid of data that is no longer used (painful if you are a hoarder by nature!). Obviously, there are some considerations to make here; e.g. financial data where you’re expected to keep records for six years.
As a HR professional, I know that in the past there’s been times where I could have been guilty of hanging onto paperwork “just in case” I needed it down the line (and years later I’ve never needed it or even looked at it!), the same probably goes for most people. For example, CV’s that come in – do we really need to keep them after the role has been filled? Certainly after a few months you should now be deleting them under the new GDPR regulations.
In relation to people’s data there is also a focus on permission/consent. Have you had consent to hold onto/gain people’s data (this includes email addresses). You might have noticed that when you go shopping now, more and more retailers are asking you if you would like your receipt emailed to you. This saves on paper (and I’m all for that!) but it also means you are consenting to giving that retailer your email address (and therefore probably means you’ll start receiving email offers etc). It’s a way to prove consent.Data Breeches
If there is a breech of data, the new regulations are very clear about what you should do:
Breech Rules: Article 33(1): “without undue delay and not later than 72 hours after having become aware of it…”
Article 34(1): “When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”
* Burden of proof is on controller –Article 24(1)
Organisations are expected to act swiftly when a breech is realised (no later than 72 hours later) and to let people know if there is a high risk breech (article 34(1). There should be a crisis plan in place to deal with issues like hackers and/or any other data breech.So let’s have some key reminders
- Stress test data and security systems – make sure your systems are up to it!
- Internal access to sensitive data – Who has access? Can this be reduced? Be able to justify who has access
- Staff training on data security
- Crisis Planning
- Increased need to review current practices, systems and how data is held. Get rid of old data!! – Holding onto data that’s years old won’t be acceptable. Make sure there’s systems in place to get rid of old data.
I found this great little infographic which sums it up nicely! Please note that this blog does not cover everything relating to GDPR! However, hopefully it will give you an idea of what you need to think about.
Link to Inspire Excellence