With the GDPR implementation date of 25th May rapidly approaching, many organisations are making a last-minute sprint to try to address outstanding compliance issues. You only have to take a look through your inbox to see a raft of messages informing you of updated privacy policies, terms and conditions and requests for consent to remain on email marketing lists (something that should have been standard practice for any marketing department worth its salt).
There are already several legal requirements around data privacy and protection which have been largely ignored by many organisations, so why the urgency to comply with at least some aspects of GDPR?
For a start, the potential fines run to €20m or 4% of global turnover, and the GDPR allows for member states to impose criminal penalties for breaches of the regulation. GDPR also incorporates the concept of accountability for Data Controllers and Processors, so compliance with GDPR – and the ability to demonstrate compliance – will be key to avoiding breaches in the first place and minimising penalties if a breach does occur.
What nobody really knows at this stage is how the GDPR will be regulated. Will it be a light touch, with local regulators providing guidance and best practice to help organisations comply with the rules? Or will GDPR be a tool used to extract revenue from organisations – especially the big data giants like Amazon, Apple, Facebook, Google and Microsoft?
In the UK, the Information Commissioners Office (ICO) is the body responsible for regulatory action over breaches of a variety of legislation including the Data Protection Act and the General Data Protection Regulation.
Fortuitously, the ICO has a draft Regulatory Action Policy out for consultation and this document gives a pretty good indication of how the UK plans to regulate the GDPR.
It outlines its objectives and priorities and indicates a hierarchy of regulatory action that will give organisations a pretty good idea of where the ICO will be deploying its resources and what will be required of organisations in the event of an investigation.
From a business perspective, it is encouraging to see that the ICO intends to “create an environment within which, on the one hand, data subjects are protected, while ensuring that, on the other hand, business is able to operate and innovate efficiently in the digital age.”
Organisations concerned about the administrative burden of GDPR and the danger of penalties will be pleased to note that the ICO is committed to “ensuring that commercial enterprise is not constrained by red tape, or concern that sanctions will be used disproportionately.”
Of course, whatever the intentions of the ICO, it remains to be seen how the legislation will be regulated and enforced in practice – not just in the UK, but across the rest of the EU.
Political and public pressure will be in play, and of course, the legal profession will be seeking opportunities from the raft of data protection and privacy legislation that is being added to the statute books.
In its draft Regulatory Action Policy, the ICO says it will be focussing on the following types of breaches:
1 – Those involving highly sensitive information
2 – Those adversely affecting large groups of individuals
3 – Those impacting vulnerable individuals
Organisations dealing with personal data on a large scale should of course already have good data security processes and privacy measures in place, so compliance with GDPR shouldn’t be a particularly onerous additional burden.
Public sector bodies – in particular, those involved with social services and the NHS – may have to up their game and invest additional resources to comply with GDPR and other privacy legislation.
For commercial organisations working within the health sector – either directly or within the supply chain – should prioritise being able to demonstrate GDPR compliance, especially if they expect to be tendering for public sector contracts.
One area that is bound to attract attention from the regulator is any organisation handling personal data of minors – one easily identifiable ‘vulnerable’ group.
The large social media players are the obvious targets, but anyone involved in the education sector, online gaming, apps targeting children, or any activity that might require handling personal data of minors should be making data privacy a priority if it isn’t already.
In addition to the key areas of focus for the regulator, the ICO’s Draft Regulatory Action Policy also enumerates their priorities for the coming year, viz.:
1. Large scale data and cybersecurity breaches involving financial or sensitive information
2. AI, big data and automated decision making
3. Web and cross device tracking for marketing (including for political purposes)
4. Privacy impacts for children (including Internet of Things connected toys and social media marketing apps aimed at children)
5. Facial recognition technology applications
6. Credit reference agencies and data broking
7. Use and sharing of law enforcement data, including intelligence systems
8. Right to be forgotten/erasure applications
So at least we have some idea where the ICO will be targeting its resources and which sectors are likely to come under the spotlight.
If your compliance efforts are running behind schedule, just remember that data privacy is an ongoing process – it’s not just a case of ticking boxes and producing a few policies to show to a regulator if or when you get hit by a data breach.
Data protection and data privacy are about education and culture as much as policies, procedures and physical security measures.
All the indications are that the ICO will be taking the role of guiding and advising organisations in their GDPR compliance journey. As the Information Commissioner – Elizabeth Denham – said on her official blog:
“…it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.
The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
All indications are that if you have a regular business that isn’t dealing with sensitive data on a large scale – and isn’t playing fast and loose with customer data – you’ll have nothing to fear from the GDPR.
Indeed, used properly, your GDPR compliance journey should forge stronger, more trusting – and therefore more profitable – relationships with your customers.
BTW – if, having read the draft Regulatory Action Policy, you’d like to contribute your thoughts on the ICO’s plans for regulating GDPR and the other legislation for which it is responsible, you can complete this survey up until 28th June.
ICO – Draft Regulatory Action Policy
ICO – Draft Regulatory Action Policy Survey
EU – General Data Protection Regulation
ICO – Enforcement Action
ICO – Information Commissioner’s Blog
GDPR – Cost of non-compliance
Want to read more like this?
Sign up for the GDPR Portal Newsletter to get all the latest GDPR articles and news straight to your mailbox.