On the 25th May 2018, the data landscape of the UK and Europe will change undeniably with the introduction of the General Data Protection Regulation, or GDPR. Many organisations, big and small, are trying to understand what this means for their business and how to best prepare. In short, at this moment in time, there is no definitive answer. The Regulation is so far poorly explained, and there is no case law to refer to for definitive guidance: businesses are therefore left to assess their own vulnerabilities and hope to be able to implement suitable changes.
My Future Cloud is a Digital Strategy Consultancy, working with some of Europe’s leading Data Lawyers to provide a GDPR Compliance and Implementation service that helps organisations navigate the myriad technical and legal obligations they must fulfil. MFC’s unique value proposition is in applying best practice to how data moves, is stored and is acquired by businesses for reporting, marketing and sales purposes – the main activities that GDPR is seeking to regulate.
Below we explain and demystify some elements of what GDPR is and how it is applicable to your business.
Question: How should businesses store data, and what data can they hold?
Current data laws in the UK concern the good handling of “personal data”. Broadly speaking, personal data is data that identifies a living individual, for example an email address or name and home address. The good handling of personal data is contained in a broader subject matter called Data Governance. The GDPR will regulate personal data to ensure good Data Governance.
Any organisation can store personal data as long as they have a justification for collecting and handling it. Consent is one of a number of justifications that can be established and is probably the most onerous of justifications to obtain and maintain. Other justifications, such as performance of a contract or legitimate interests, are easier to establish and are often more appropriate.
A key principle of the GDPR is being able to demonstrate your compliance with the regulation. This includes showing how an organisation has determined which justification should apply and why, which can all be contained in a simple file note.
Another principle of the GDPR requires appropriate security to be imposed around any personal data that organisations handle.
Information Security (IS) is a massive subject matter on its own and yet is only a component of Data Governance. When pursuing a programme of Data Governance, it is important not to become side tracked by IS but to deal with it equally within the other aspects of Data Governance and the requirements of the GDPR.
A useful way of distinguishing between the two subject matters is to consider the following:
- Data Governance concerns the human behaviour and working practice within an organisation in relation to the good and proper handling of personal data, such as which personal data to handle, the purpose for which it should be used and for long it should be retained;
- IS covers the facilities necessary to ensure such good and proper handling, i.e. how they should store personal data, such as through the use of firewalls and encryption.
The GDPR does not prescribe how personal data should be stored. It requires the organisation handling the personal data to determine the type and level of security to use based on the risk of loss, theft, damage or unauthorised disclosure (e.g. through leakage or hacking) of the relevant personal data. The more valuable, confidential and sensitive the personal data the greater the level of security should be imposed.
The GDPR suggests certain facilities and practices that can be used in order to achieve compliance with the GDPR’s security requirement. More on that below.
Question: What might be a potential pitfall for breaching data rules?
Good Data Governance assures the privacy of individuals and the confidentiality of their personal data.
From an organisation’s perspective, good Data Governance:
- ensures compliance with the GDPR and other data laws; and
- is the sign of a healthy organisation in corporate governance terms.
Businesses who consider themselves to have good Data Governance use this as a selling point as a responsible supplier to customers.
Bad Data Governance can have a significant impact on the reputation of an organisation and the willingness of others to do business or otherwise deal with that organisation. An organisation with bad Data Governance can result in a complaint by an individual to the UK Information Commissioner’s Office (ICO).
Organisations will also be required to report data breaches to the ICO under the GDPR. The ICO will have enhanced investigatory powers under the GDPR in response to such a complaint or data breach report.
The ICO will be able to impose significant penalty awards against an organisation in the event it determines that there has been a breach of the GDPR and/or other data laws.
Question: How do businesses make sure the data is secure?
Again, the GDPR does not prescribe the type and level of security to impose when handling personal data.
The GDPR does not prescribe how personal data should be stored as there is no “one size fits all” security solution because of the individual nature of personal data and how organisations handle it.
The GDPR requires the organisation handling the personal data to determine the type and level of security to be used based on the risk of loss, theft, damage or unauthorised disclosure (e.g. through leakage or hacking) of the relevant personal data.
The more valuable, confidential and sensitive the personal data (such as health or financial information) which could cause damage or distress to the individuals concerned if their personal data were to fall into the wrong hands, the greater the level of security should be imposed.
The GDPR suggests certain facilities and practices that should be considered when complying with its security requirement. These include:
- encrypting and/or pseudonymising the personal data;
- ensuring the ongoing confidentiality, integrity, availability and resilience of the systems that process the personal data;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of the measures for ensuring the security of the processing.
Fundamentally, organisations must carry out a risk assessment in order to determine the most appropriate security measures to impose both physically and digitally.
When making such assessment, an organisation should consider the state-of-the-art technology available and the costs involved in imposing it.
Organisations are not expected, however, to put themselves into financial difficulty in order to comply with this requirement.
The ICO and guidance for GDPR?
Ultimately, there is little (reliable) guidance on how to adhere to the GDPR. However, the ICO provides some excellent tips on Information Security, which should prevent (or at least reduce the risk of causing) data breaches.
These top tips are accessible here: https://ico.org.uk/for-organisations/guide-to-data-protection/it-security-top-tips/
GDPR is comprehensive and designed to regulate the unknown. Technology has evolved so quickly that any form of governance and regulation (typically slow by nature to define and apply) must be broad and all assuming, in order to be robust enough to effect change. The potential fines are large (4% of gross global turnover or 20 million Euros, whichever is larger) to ensure people listen!
By not ignoring the GDPR and applying best practice standards to your business, you stand a good chance of avoiding the full attention of the ICO if a data breach or complaint is made.
Simply put; be prepared and proactive – GDPR is only going to become a bigger and more important part of business governance, forever.
Get in touch with MFC to discuss your business challenges and find out how we can help you prepare for GDPR.
Call us on +44 (0)20 7332 2322 or send us a message on our contact form.