Why is GDPR compliance so hard to pin down … And what should your company do about it?
With the effective date of implementation now just eight months away, we have heard from many of our clients that it seems impossible to know what you really must do in order to meet the requirements of the new General Data Protection Regulation in May 2018.
It is likely that the ambiguity is by design; because of the tremendous acceleration in both the legitimate and illegitimate uses of personal data, regulators are running to catch up. On the one hand, you have enormous companies like Facebook, Google, Amazon, Verizon (which now owns Yahoo and AOL), Tencent and Baidu whose lifeblood is personal data; they are happy to give away services to obtain the rights to that data. On the other hand, there are the hackers; criminals and state actors alike. Also in the field are law enforcement and security services, which constitute a mesh of public and private entities relying on data to tell friend from foe. Stuck in the middle are individuals (the rest of us) who may have our data used and abused in quite unimaginable ways. GDPR’s ambiguity is meant to help regulators avoid missing the unimaginable and still give citizens some statutory protection.
In addition, the speed of change makes it difficult to be prescriptive about security protection. In the past, technical approaches to satisfy security requirements have been compromised at a faster rate than legislative change. Consequently, in article 32 on “Security of processing”, it simply begins “Taking into account the state of the art, …”. Tough luck if you don’t know the state of the art, or who has the ability to recognise it! But it’s just a practical response to this challenge that defining the level in the legislation is equally problematic.
In time, there will be case law, increased guidance from the supervisory bodies and the European Data Protection Board, and finally codes of conduct with certifications, seals and marks. The usual warning applies, however, that having a certification doesn’t guarantee compliance to the law. And though the GDPR regulation and its interpretations will stabilise, there will be no such luck with the threat landscape. We can count on more legislative changes in this area.
So, in the face of a lack of clarity and the looming deadline, what is management to do? Here is our suggested approach:
- 1. Don’t ignore it, it really isn’t going away: Profiling personal data is one thing today; it will be another thing altogether as AI matures. At the same time, cybersecurity threats will continue to increase. The data you currently hold, some which complies, and much which does not comply, with GDPR, is getting more valuable, and the attackers are getting better equipped.
- 2. Board level attention is important: Supervisory bodies have to interpret the conditions set out, so that action is taken in proportion to risk. Debate, decisions and sponsored action at Board level help a proportionate argument. The Board also needs to understand that the stakes could include a €20 million fine (or 4% of revenue, if that is higher!)
- 3. Plan capacity for the rapid jump in enquiries that will occur in May 2018 and the immediate months afterwards as individuals across the EU (750m people or so) gain the right to ask about what data is held and to what lawful purpose it is used. There is one month to respond to a request. Service providers are already gearing up to help them, and to bring litigation.
- 4. If you are not using the data lawfully, STOP! But assuming you are, the real challenge to resolve is to gain a person’s agreement to that use. Notices in the registration and capture process need to be updated for this, but the elephant in the room is historic data from previous interactions (we will come back to this).
- 5. Prepare to review and update security in the technical and organisational design of data processing, as per the current regulation. But expect to revise the approach in line with new frameworks and codes of practice as they emerge and are recognised by the supervisory bodies.
- 6. Check if your data is transferred internationally or if you use third party service providers for processing data. If so, further analysis and action (some contractual) are needed to fulfil the security by design expectation; remember that delegating a process to a supplier does not absolve your company of the need to comply.
- 7. Add the processes needed to support the citizen’s right to be forgotten and their right to move their data with them.
- 8. Don’t panic. The regulation succeeds Data Protection Directive (95/46/EC) and follows other regulation such as Directive 2002/58/EC (privacy and electronic communications). These have raised the quality of practices to a certain level, and the regulators are interested in improving the situation, not claiming scalps. Supervisory bodies are likely to want to help people trying to comply, rather than taking draconian interpretation to punish firms.
So, having tidied everything up going forward, what do you do about the personal data obtained before the new standards were in place?
Freely given consent is required, explicit to the purpose that the data is used. Going forward, firms that introduce a new service and propose to use existing data will need to ask users for consent. Firms also need to consider what to do about today’s activities that use personal data which was obtained before the legislation. Compliance will be patchy until the regulators clarify what cases are in scope, and which will receive enforcement focus.
Will every employer contact their employees to obtain permission to use their personal data in order to continue to pay them? Equally, will every EU citizen want to be bombarded by every organisation in the next few months enumerating all the ways that their data is used and requesting them to go to their website and agree continuance or lose access to the scores of online services each of us use today?
We expect three models to arise.
- 1>online services with a high level of client engagement (e.g. Google, Uber, etc.) will simply acquire the new 'unambiguous consent' at a point prior to implementation and begin the audit trail from that day forward. They will be under relatively little risk of attrition as the consent will be acquired at the point of a service request, so the users will be predisposed to grant consent. This approach will also be taken for “sticky” providers of services like mortgage servicing, insurance, etc. The effort of revisiting the language of agreements should not be ignored, but we have been here before (e.g. Safe Harbour)
- 2> Entities holding data today will, between now and implementation, contact their customers for opt-in to minimise the problem… if your company is not running campaigns to drive this right now, you should start right away!
- 3>Services with a low level of engagement, including those with mailing lists they have acquired through affiliate marketing deals and from opt-out transactions, will assert they have opt-in while at the same time outsourcing the contact to third party entities, probably of very recent establishment and brief existence, to actually perform the contact. This will buy them time to firm up their opt-ins both operationally and in the courts. Sadly, we have all read this story before. In some cases, this will be fair and justified. In other cases, less so. Life's rich pageant.
At Virtual Clarity, we are happy to help companies adapt their IT operating model and processes to comply with the regulation, especially in this 'cloud first' world where client data needs to cross legal entity boundaries for SaaS, BPaaS, etc. all the time.