GDPR: countdown to stringency

The General Data Protection Regulation (GDPR), which comes into effect on May 25th, sets out to significantly change data-protection law in Europe, strengthening the rights of individuals and increasing the obligations on organisations.

At the centre of the new law is the requirement for organisations and businesses to be upfront about how they are using and protecting personal data, and to be able to demonstrate accountability for their data-processing activities.

In theory, it may seem straightforward but it will require a lot of new processes and systems that most companies, especially SMEs, aren’t ready to deal with – or don’t have.

Professor of Digital Business at DCU Business School Theo Lynn says it requires companies to demonstrate how they are meeting the regulations for data processing that includes not only how they manage personal data, but, if there is a data breach, how they would respond to that.

If companies don’t do this, the punishment is quite severe – between 2 per cent and 4 per cent of total annual worldwide turnover.

Consumer data is currently collected through mobile phones, laptops and internet searches, as well as through more traditional channels: filling out medical forms, or a driver’s license application, for example.

“Who controls that data and how it is being used has gotten very blurry and the existing data-protection legislation wasn’t designed to deal with the huge influx of data and analytics, so what the GDPR does is, it introduces regulations across Europe that allows individuals to have greater control over their privacy,” Lynn says.

‘Impacts trust’

In March this year, revelations regarding Facebook and Cambridge Analytica’s use of Facebook profiles shone a light on how our data can be used without our knowledge or informed consent.

“It certainly impacts trust in the social-networking sites. In this case, the public shared their profiles by completing a personality test through a Facebook app. This app appears to have been able to use Facebook likes and other profile data to map personality traits. Once harvested, it could be augmented with other third-party data sources for targeted marketing and other engagement campaigns by Cambridge Analytica and others. It is reasonable to believe that the Facebook users who used the app for their personality test did not envisage the data being used for political marketing.

“Another example of where people share data inadvertently is free public Wi-Fi. Often public Wi-Fi is provided in exchange for browsing data. This browsing data is often used for marketing or sold to third parties to defray the costs of providing public Wi-Fi. Post-GDPR, users will need to affirm use somehow,” Lynn says.

While GDPR-awareness is high among small firms, at 89 per cent, one in five has yet to put a plan in place, according to the Small Firms Association (SFA).

“With the ‘go live’ date just a month away, we have seen a spike in activity among members as they get ready to comply with the new data-protection regulations. Still, it is worrying that almost one in five small businesses do not yet have a plan in place in relation to GDPR,” SFA director Sven Spollen-Behrens says.

The SFA’s Small Business GDPR Readiness Survey shows 39 per cent of respondents have made some preparations for GDPR and an additional 45 per cent have started to prepare. However, no company identified themselves as “GDPR-ready” and 17 per cent said they had no plan in place.

Spollen-Behrens says many small businesses are feeling “overwhelmed” by what they have heard about GDPR, with most concerns around employee records, IT, marketing and outsourcing.

Companies need to be more cognisant of or have more governance of the personal data they hold, Brian Honan, information security industry expert and chief executive at BH Consulting says.

“Any information they no longer need should be securely destroyed. Special-category information has to be dealt with with more care and caution as it could cause more harm to the individual – for example, health information, political views, racial and ethic background, mental health or trade-union membership,” he says.

‘Right to privacy’

“The legislation gives more control to individuals, and our rights to privacy. We do have a right to privacy and we should be very protective of that. GDPR gives us the tools to protect that. It won’t necessarily stop companies from using our information to sell to us, but they will have to inform us more and put more checks and balances in place to make sure we’re more comfortable with what companies and organisations are doing with our information.

“Companies will have to change their terms and conditions and a lot of social media platforms like Twitter, Facebook and Instagram are going to have to adjust how they enable their users to control and manage their data. The key thing to remember though, if you are using a service, particularly a social-networking service and you are not paying for it, you’re not the customer, you are the product. These companies make money by gathering data on us and they sell it to advertisers. There are privacy tools but they’re not shouted about. For this reason, people should regularly review their privacy settings,” Honan adds.

Lynn agrees that as most people value the utility they receive from these websites and services and are not willing to pay for them, they are likely to continue to use those services. As such, it probably won’t impact turnover that much. It may, however, impact profits.

“The cost of putting in place the people, processes and systems to support GDPR in a meaningful way is not insignificant and could be particularly burdensome to SMEs. Furthermore, the volume of subject-access requests is to some degree unpredictable. No one may request data or lots of people might. I expect many people will do so from curiosity. This curiosity could costs organisations quite a lot of money, particularly in the early days of GDPR when systems are not quite so robust. So GDPR may increase costs and therefore affect profitability,” he says.

For more information on getting GDPR ready see www.gdprandyou.ie.

Twelve tips for getting GDPR-ready

1. Make sure personnel know the law is changing and they start factoring this into future planning. Identify areas that could cause compliance problems. Review and enhance risk-management processes. Be aware that implementation of the regulations could be costly, so plan.

2. Make an inventory of all personal data you hold and ask questions like why are you holding it, how did you obtain it, how secure is it. This is the first step towards compliance.

3. Check how you currently alert individuals to the collection of their data and see if there are any gaps there.

4. Ensure your procedures cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

5. Make yourself aware of how access requests will change.

6. Look at the various types of data-processing you carry out, identify your legal basis for carrying it out and document it.

7. If you do use customer consent when you record personal data, you should review how you seek, obtain and record that consent, and whether you need to make any changes.

8. If the work of your organisation involves the processing of data from underage subjects, you must ensure you have adequate systems in place to verify individual ages and gather consent from guardians.

9. Think about a Data Protection Impact Assessment (DPIA), which is the process of systematically considering the potential impact a project or initiative might have on the privacy of individuals.

10. Make sure you have the right procedures in place to detect, report and investigate a personal data breach.

11. The GDPR will require some organisations to designate a data protection officer (DPO).

12. The GDPR includes the one-stop-shop (OSS) mechanism, which will be in place for data controllers and data processors that are engaged in cross-border processing of personal data.