With less than four months until the GDPR comes into force - on 25th May 2017 - organisations across Europe are racing to prepare for the changes. And while the legislation means extra work for thousands of businesses, few would deny that it's long overdue. The original Data Protection Act was passed way back in 1998, when the internet barely existed, and cyber attacks weren't a serious concern for most businesses.
But fast forward 20 years and huge advancements in technology and the internet have brought a data explosion in their wake. We now think it's perfectly normal that online companies know where we live, who we're friends with and what we like to eat. Yet with so much of our personal data involved, we need the reassurance that it's adequately protected. And that is where the GDPR comes in.
What are the changes?
The GDPR significantly strengthens previous regulations, giving consumers greater control over their data, while increasing the onus on companies to keep this information safe.
Key changes include a shift from the allowance of "opt out" consent to the requirement for consent to be explicitly "opt in", as well as greater powers for customers to access their own data. There is also a greater obligation for businesses to document what they're doing to protect sensitive customer details, while incorporating 'privacy by design' into everything they do.
On top of that, the potential fine for non-compliance will also increase, with fines of up to €20m or 4% of annual turnover – whichever is higher. So, if you're not already on top of your responsibilities, it's time to get prepared.
Here's more details on the key points to be aware of:
What data is covered? The GDPR refers to any Personally Identifiable Information (PII), so anything that can be used to identify an individual, including their name, email address, telephone number, date of birth or anything more specific such as GPS data, an IP address, or health information.
The role of the Information Commissioners Office (ICO): If you plan to collect, store and/or use PII, you must inform the ICO. You can find out more about registering with the ICO here. There are a few exceptions, but most businesses need to register.
The key principles that you must comply with are:
1. Process data justly and fairly: You must have a good reason for storing and using personal data. The data may be necessary to providing your product or service - therefore incorporated in your contract with the client – or the customer must have given their permission for you to store and use it. And under the new rules it must be an 'opt in' rather than an 'opt out' - no sneaking a tiny 'opt-out' box where nobody can read it!
3. Data must be adequate and not excessive: You should only hold as much information on individuals as you need. Anything you don't need should be destroyed.
4. Personal data should be accurate and up-to-date: If you're holding a lot of data, it may be tricky to ensure it's all completely accurate. But you need to take reasonable steps to ensure it is as accurate and up-to-date as possible, putting processes in place to update or destroy old or inaccurate records.
5. It shouldn't be kept longer than necessary: There is no minimum or maximum length of time that you can keep personal data, but you should consider how long you need it and destroy it once it's fulfilled its purpose. This also helps with point four, as it reduces the chance of you holding out-of-date, inaccurate data.
6. Security: You must have sufficient security to avoid data being either deliberately or accidentally compromised, including both technical security and robust processes and procedures, including training your staff sufficiently. You must also be ready to respond to a breach if the worst happens.
7. It should be processed in accordance with individuals' data rights: There are now eight rights to be aware of, enhancing on the six listed in the Data Protection Act (DPA). These cover an individual's right to have access to their data, have it erased, restrict usage and move it from one IT provider to another. Companies also have less time to comply with customer requests than under the DPA – only one month, rather than 40 days.
8. Accountability: This aspect of the law has been strengthened significantly in the GDPR, stating that businesses must put in place measures to show that they are complying with the rules. This includes tools such as internal data protection policies, staff training, internal audits, and reviews of internal HR policies. The idea is to carry out 'privacy by design', whereby data protection is hardwired into the processes and behaviours of your organisation. If you carry out large-scale tracking of individuals, or are involved in processing specialist data then you will also need to appoint a Data Protection Officer.
Is your business ready?
Despite the hefty penalties, recent research revealed that three quarters of small and medium sized businesses in the UK aren't prepared for the GDPR, while just one in three are aware of its implications. Meanwhile, the Information Commissioner's Office (ICO) revealed that the number of fines for data protection breaches is on the rise, up from 18 in 2015 to 35 in 2016 – amounting to £3.2m in total.
With the very real risk of prosecutions and fines for non-compliance, SMEs should therefore be looking at their obligations with some urgency. A good place to start is to run through all the data you hold, where, and how it's stored, while checking all your processes, privacy and security policies for any gaps. There's loads of guidance on the requirements and your responsibilities, on the ICO website, which will also help.
There are also some really cool companies that can ease the road to compliance, such as PORT, which has built GDPR software for businesses. You can hear more how how it works in our interview with the data innovators making GDPR work for everyone.
Getting your team behind data security
The all-encompassing nature of the GDPR means that protecting sensitive data can no longer be left solely to the IT department or office manager. Data is everyone's business and every employee has a role in keeping it safe, particularly as such a large proportion of data breaches involve human error.
There are a number of ways you can engage employees in the GDPR and the importance of data protection:
1. Top down engagement: The stakes are now so high that data protection and cyber security are executive level issues. That means that management must lead by example, to ensure the message is communicated effectively across the whole organisation. There's no point expecting employees to get on board with the new rules if the CEO doesn't set the tone for everybody.
2. Introduce a data protection policy: A clear and concise policy should include key dos and don'ts regarding handling sensitive information, customers rights, as well as password security and how to detect and report any data concerns or suspicious activity. It can form part of the induction process, with all employees required to read and sign it, as well as acting as a reference guide, if ever anybody has a query about handling data.
3. Build into your mission and values: As part of a 'privacy by design' approach, consider including a data protection element in the mission and values of your company, as well as including it in job descriptions, employee contracts and progress reviews. That way it always stays front of mind with staff and that they understand its importance.
4. Regular training and communication: Cyber training is often overlooked – a recent Government survey found that only 20% of businesses have ever given staff some kind of cyber security training. And while it might sound dull, it doesn't have to be. Try to be creative about how you do it by organising quizzes, events and learning from examples of where organisations have been caught out.
5. Access controls: Cultural change is important, but it's also vital to control who can access what data in your organisation. Only those employees that need certain information should be able to gain entry to the files in question, with password protection in place at the very least, and further authentication if possible. The access levels required by each employee should also be tracked so that nobody has any log-ins they don't need. Privileges should be automatically revoked and details changed when employees leave the company.
How to implement privacy by design
One of the core changes that the GDPR will introduce is the concept of 'privacy by design', which wasn't touched upon in the previous Data Protection Act. Implementing privacy by design isn't a requirement of the act, as such – more of a recommendation. However, that doesn't mean you should ignore it, as it could make complying with your other obligations easier, and help you build a more secure and sustainable business in the long-run. So, what is it and how can you do it?
The wording of the GDPR is ambiguous, to say the least, but the Information Commissioners Office (ICO) has put forward a much clearer description of privacy by design, which is "an approach to projects that promotes privacy and data protection compliance from the start." It is believed to have stemmed from the concept of 'value sensitive design', which takes human values into account throughout the entire design process, building inherently secure systems and processes, rather than bolting protection on retroactively.
Privacy by design would therefore come into play if you were installing a new IT system, implementing a data sharing initiative or, if you're a start-up, building your business from the ground up. The benefits of taking this approach are numerous, not only helping you to comply with the GDPR, but also enabling you to identify potential privacy issues earlier, address them in a simpler and less costly way, while also encouraging innovation and protecting your business reputation.
Seven foundational principles
Seven 'foundational principles' of privacy by design have been established by The Information & Privacy Commissioner of Ontario (IPC). They are:
● Proactive not reactive – preventative not remedial: You should aim as much as possible to anticipate and prevent data privacy risks before they happen. On the flipside, you shouldn't wait for risks to materialise or take action after privacy infringements have occurred.
● Privacy as the default setting: Customer information should be automatically protected by IT systems and processes. In other words, if an individual does nothing, their data should be protected. This is in keeping with the GDPR's 'opt in vs opt out' stipulation.
● Embed privacy into design: This is the point about privacy being integrated into technology and systems from the beginning, not bolted on afterwards. It should be an essential component of the core functionality being delivered.
● Retain full functionality (positive sum not zero sum): Privacy by design aims to avoid unnecessary trade-offs, whereby functionality or security suffers as a result of privacy – or vice versa. So, your product or service should work just as well with privacy incorporated - it should be a win-win for all objectives.
● Ensure end-to-end security: This refers to the need for privacy to extend throughout the lifecycle of the data involved. It should be obtained, retained and destroyed with privacy concerns in mind.
● Maintain visibility and transparency – keep it open: Processes and operations should be visible and transparent to users and providers, giving reassurance that data is being treated in compliance with regulations and best practice.
● Respect user privacy – keep it user-centric: And finally, privacy by design should always design systems and processes in the interests of the user, with privacy defaults, appropriate notice and user-friendly options.
The role of a Privacy Impact Assessment
One of the main tools in a privacy by design approach is a Privacy Impact Assessment (PIA), which should be carried out at the beginning of any project involving personal data. The idea is to analyse the impacts that the project will have on the privacy of individuals involved, looking to minimise these as much as possible, while also complying with the seven principles above. According to advice from the Information Commissioners Office, a PIA should involve:
● Plotting and analysing information flows: How information will be obtained, used and stored as part of the project
● Identifying any privacy and related risks: This could be risks to individuals as well as risks to organisations through regulatory action or reputational damage
● Identifying and evaluating solutions to overcoming or removing those risks: Analysing both impact on privacy, the project outcome and the cost involved.
● Consulting with people who will be working on or affected by the project: This could be internal and/or external audiences, enabling them to highlight risks based on their own expertise or perspective.
Working through this process at the beginning of any new project puts you in a good position to bake privacy into its execution, while also aiding compliance with other aspects of the GDPR, such as accountability, which calls for a paper trail around data protection.
Data protection isn't something you can do once and forget about for another year or two. As technology evolves and the data mountain keeps getting bigger, it requires constant attention to ensure you're sticking to the rules, while protecting your customers and your business reputation at the same time.
And don't forget, if the worst does happen, cyber liability insurance can protect you for a breach of data protection laws (where insurable by law) and your liability for handling data. It can also provide cover for extortion, system rectification costs, plus PR expenses and financial loss due to system downtime. To find out more, drop us a line at firstname.lastname@example.org, or give us a call on 0333 772 0759.