1998 seems like a lifetime ago, where e-commerce was a fantasy for ordinary people just discovering the internet. Yet 1998 was year zero for the European Union’s Data Protection Directive – the basis for legislation protecting personal data across member states today.
But over the past two decades, digitalisation has detonated a data explosion, giving rise to data mining on a level of sophistication and scale that was unthinkable at the time the directive was conceived. In keeping with the spirit of our globalised age, data, like everything else, is ‘big’ – and so are the threats.
‘A lot of times, companies don’t realise the value of the data that they hold – it’s about valuing what it’s worth to a bad person,’ says Cal Leeming, chief executive at cyber protection firm, Lyons Leeming.
Leeming argues that even high-profile data breaches have not dramatically impacted companies in the long term, with penalties, brand damage and stock price falls often being short-term hits.
But on 25 May 2018, that is set to change, with the implementation deadline for the General Data Protection Regulation (GDPR), the updated framework for data protection across the EU. The Regulation forms part of the European Commission’s digital single market strategy, aiming to harmonise data privacy laws across EU member states. It also brings good data practices more sharply into focus by putting them on a statutory footing.
The fundamental tenets of the GDPR are transparency and accountability to individuals, or ‘data subjects’. Organisations must be clear about why they are collecting data, and subjects must be able to access, update and, in some cases, delete that data, as well as withdraw consent for using it. What is more, compliance with GDPR alone is insufficient – organisations must document and demonstrate how they are compliant and provide a clear point of contact for individuals who wish to exercise their rights.
Much of this regulatory upgrade echoes the principles from 1998, albeit much more explicitly. But potentially crippling penalties of up to 4% of global annual turnover (or €20m) for the most serious infringements have forced even non-EU domiciled organisations to take notice. That is because the GDPR expands jurisdictional reach to include personal data processing of subjects if they are based in the EU, even if the entity in question is not.
Vive la révolution?
Consequently, the GDPR has generated a lot of fear. But Garreth Cameron, former policy and engagement group manager at the Information Commissioner’s Office – the UK’s independent information regulator – and now data protection officer, EMEA at Dentsu Aegis Network, strikes a reassuring tone.
‘Most businesses that take their confidentiality and data protection obligations seriously are probably already in a place to capture the evidence they need.’
Nina Barakzai, Sky
‘A lot of the processing that people do, a lot of their business practices, will largely remain the same because the law has evolved, it’s not fundamentally different – the same building blocks are there,’ says Cameron.
Many large organisations agree with this sentiment. Nina Barakzai, group head of data protection and privacy at Sky, feels that the regulation will help businesses, not hinder them.
‘There is a lot of hype around the GDPR, but most businesses that take their confidentiality and data protection obligations seriously are probably already in a place to capture the evidence they need. The new regulations are a welcome update to existing European laws. They have the benefit of harmonising requirements across the European Economic Area (EEA) and building a more consistent understanding of personal data in European jurisdictions.’
‘The benefit of this is to create a form of shorthand, as industries, companies, and parties processing personal data can work with common definitions, standardised frameworks and published guidelines from regulators. This makes it quicker to share data, transfer it internationally and keep it secure to a consistent standard. The extraterritoriality of the regulations helps build this approach out to jurisdictions outside the EEA, to give international data flows a level of certainty of protection for the data subject.’
Although the GDPR is about synchronicity, each EU member state’s experience in legislating for and adjusting to the new regime will be different. Suzanne Rodway, group head of privacy at The Royal Bank of Scotland (RBS), believes that because the UK has had one of the more pragmatic data protection regimes in Europe, GDPR implementation feels like a bigger stretch for UK-headquartered businesses.
‘You hear some European regulators say “it’s evolution, not revolution”. I think in the UK, it’s revolution,’ says Rodway.
But rather than framing the GDPR as another set of rules, the ICO positions compliance as a tool for correcting low levels of trust between businesses and UK consumers.
‘Every year we run an annual survey, where we ask a representative number of people how they feel their data is being used. The key headline is that only one in four UK adults trusted businesses with their personal information; only 16% agreed that businesses were being transparent in their data use; and only 21% thought that businesses would keep their data secure. That’s bad for consumers and bad for business,’ adds Cameron.
The right skills
The GDPR represents major challenges for organisations, especially given the relatively short transition period between the legislation’s adoption in April 2016 to its enforcement in May 2018. Organisations must have an appropriately skilled contact person in place to take responsibility for compliance and, for many (particularly public authorities, organisations carrying out large-scale monitoring and those that process special categories of sensitive data on a large scale), that means hiring a data protection officer (DPO).
Data protection recruitment often falls to the general counsel and, although the role does not inherently require them, there is often a premium placed on legal skills. According to some, however, filtering out those with non-legal backgrounds might be the wrong approach.
‘I know there are quite a few who feel there is a glass ceiling if you didn’t train as a lawyer. It helps to have some lawyers so you can get privilege and things like that, but you need compliance skills or risk skills or alternative metrics to help you do all aspects of privacy,’ says Rodway.
A mix of skillsets is necessary, not least because top-level data protection and privacy candidates are becoming thin on the ground. ‘There is a war for talent,’ says Chris Hurst at executive search consultancy Carlyle Kingswood.
‘You can get someone that’s a good, mid-level person, and then suddenly they’re exposed to the board and the board want someone else – or they want the proverbial “grey hair”.’
‘You hear some European regulators say “it’s evolution, not revolution”. I think in the UK, GDPR implementation is revolution.’
Suzanne Rodway, The Royal Bank of Scotland
The GDPR stipulates that the DPO must report at board level, but in reality, they must be able to influence up and down their organisation. That means the ability to communicate throughout the organisation and marry data protection principles with business goals, as well as provide staff training, are core skills.
‘Underlying a lot of this is business change and so you need people who are influential, who really understand how you implement change within organisations,’ says Cameron.
Systems upgrade
When the company has a working plan, systems will likely need to be upgraded. Improving (or even building) the means to archive, track data flows, apply anonymisation and handle problems caused by removing data fields can be difficult, especially in large organisations. In addition, processes must be configured to allow the level of data control required for members of the public to exercise their right to transparency.
‘Businesses need to be prepared as a customer services supply issue as well as a legal compliance one,’ says Cameron.
‘Subject access requests can be very time-consuming and expensive, which is a symptom of not having good management of data. Those organisations that are running on very outdated infrastructure where it’s very hard to draw together the information, are going find it more problematic.’
Consent
Cameron notes that companies and their employees will need to have a better understanding of data protection law, because the GDPR requires organisations to articulate a legal condition for processing personal data and be clear with individuals about that basis.
In many cases, data controllers will look to consent to provide their legal basis for processing. But the GDPR is stringent about how organisations must inform individuals to obtain their consent for intended activities, strengthening awareness around the issue and providing detailed instructions to controllers about what information they must provide to data subjects. Consent should not be inferred, it should be specific, informed and freely-given.
‘The consent needs to be unbundled – so we can’t ask for consent for everything, for example: “By ticking these boxes we accept to receive email magazines or communications, or emails from third parties, from partner companies XYZ”,’ says Maria Lobato, data protection officer at UK retailer Mothercare.
‘It’s a very big deal because of the number of things that you have to say and ask. Now we need to be creative enough to collect the consent in a customer-friendly manner and to ensure we are clear and transparent in the way we do it.’
Preparing for the new normal
Exactly what standard clauses and other practical applications will look like will also need to be ironed out. RBS was one of the first banks to negotiate new terms and conditions for third-party vendors, only to be met with a bewildered response from some suppliers.
Rodway says the difficulty is that ‘No-one knows what standard business terms look like yet. No-one knows what normal is’.
This uncertainty extends to enforcement, with organisations waiting to see how certain aspects of compliance will be interpreted and applied, as well as for a body of case law that can only be built up once the GDPR comes into force.
‘A lot of times, companies don’t realise the value of the data that they hold – it’s about valuing what it’s worth to a bad person.’
Cal Leeming, Lyons Leeming
‘A lot of organisations are applying a risk-based approach, to get as much of the high-risk stuff done as they can by the deadline, acknowledging that there may be an additional backlog of work that will continue post-2018,’ she says.
‘Some may have vendors who refuse to accept your new terms and conditions, so you may have to wait until the contract is up for renewal – so having a hard deadline doesn’t necessarily mean that everything can be completed.’
Worse, there are still a number of organisations panicking about how to set up a programme for GDPR compliance. Rodway predicts that, in the UK at least, the regulatory response will be to assess the extent to which compliance has been attempted, rather than issue massive fines from day one.
As far as the UK is concerned, the elephant in the room is Brexit. As a soon-to-be-ex-EU-member, the UK could, theoretically, escape the GDPR’s gaze after 2019. However, all indications are that this will not be the case – and that businesses do not desire a slimmed-down version.
Cameron says that the UK government’s announcement of its Data Protection Bill is a signal to businesses that data protection remains a top priority, irrespective of Brexit.
‘Data by its very nature is the fluid by which trade moves, and it’s absolutely vital for us to have unencumbered transfers across national boundaries. It’s very important that data protection doesn’t become a barrier to UK companies being able to trade with the EU, so I think that’s going to be a real relief for businesses. Certainly, all of the organisations and representative groups that I speak to are really keen to ensure that we have strong data protection laws,’ he says.
Rodway also takes the view that there will be no dramatic divergence between the European and UK positions on data protection, citing the importance of agreed adequacy as a key incentive for the UK government to ensure equivalence.
However, Darren Jones, MP for Bristol North West (and former lawyer at BT Consumer leading on GDPR implementation), thinks there could be scope for using data protection legislation to improve Britain’s competitiveness in the global data economy.
‘The first job is to ensure legislative equivalence before any Brexit date. But, I’m just thinking aloud here, if the ICO only charges 3% of global turnover instead of 4% if you’re based in the UK – maybe that will be an offer in a post-Brexit world to keep digital businesses in the UK while maintaining equivalence on the compliance requirements of GDPR. Whether the EU would argue that was actually a derogation of equivalence, we’d have to see.’
‘Data by its very nature is the fluid by which trade moves, and it’s absolutely vital for us to have unencumbered transfers across national boundaries.’
Garreth Cameron, Dentsu Aegis Network
The role of in-house teams
In-house lawyers can play an important role in supporting the DPO to spread engagement and understanding across the business, particularly as they may enjoy closer relationships with the functions they support than the data protection team itself. Alongside designing their processes with privacy in mind, the legal team can be instrumental in getting past the fear factor and selling the commercial case for GDPR compliance.
‘In-house lawyers will be able to spot where slight adjustments to existing confidentiality processes can help get to a privacy-compliant starting point. It is then a much easier task to add incremental changes to an existing process to meet new obligations,’ says Barakzai.
‘It then ceases to be an instruction coming from the top down, for something that may be forgotten because is it not part of a daily activity.’
Security expert Leeming echoes this sentiment, if more boldly: ‘You can treat GDPR as a baseline and say “If I go an iota underneath it, I will fail.” But rather than keep the minimum requirements, treat GDPR like an exam. You wouldn’t just try and aim for Cs – you would aim for as high as you can.’
Catherine Wycherley is an editor of GC magazine.
GDPR: the private practice view
‘My advice is to start. There is nothing you can do about starting late.’
Mark Watts, Bristows
The headlines created by the introduction of the General Data Protection Regulation (GDPR) have been plentiful, similar to the hype surrounding Y2K back in 1999. However, the difference with GDPR is that ‘there is nothing speculative about it’, says Mark Watts, a data privacy expert at Bristows.
Coming into force in May, GDPR demands a significant cultural shift. As such, data protection experts in private practice have been kept busy dealing with the concerns of their client legal teams. And plenty is keeping them awake at night.
‘Since the publication of the final form of the regulation, we have been advising clients on GDPR-compliant marketing and advertising solutions,’ says Barry Fishley, head of the technology and intellectual property (IP) transactions practice at Weil, Gotshal & Manges in London. ‘We are already assisting clients with reviews of consent-gathering mechanisms, fair-processing language and other direct marketing-related enquiries. We foresee this continuing for some time. In addition I expect requests for us to act as an external data protection officer.’
The best thing clients can do, for their own sake and for the sanity of their legal advisers, is to get on with what is required. ‘People starting relatively recently will have a lot of work to compress into a few months,’ says Watts. ‘My advice is to start. There is nothing you can do about starting late. Companies should look at what are the most important contracts for the business, which suppliers are most relied on and how to handle the most sensitive information. Then it starts to look like an achievable goal. It shows that you have paid attention to GDPR, even if it is still work in progress.’
Patrick Wheeler, head of IP and data protection at Collyer Bristow adds that fines may be used to focus minds and provide the necessary stick to beat companies into compliance. However, he recognises that the Information Commissioner’s Office (ICO) is unlikely to throw its weight around in the early days and recognise the importance of pragmatism: ‘The ICO has been putting out statements that it doesn’t require all businesses to be fully compliant from day one, but every business should have a plan that it is implementing and that this will be completed within a reasonable period of time.’
Alejandro Padín, head of the IT, data protection and e-commerce practice at Garrigues, says there are uncertainties arising from the fact that various European jurisdictions are adapting their domestic legislation at a very different pace and in very different ways. ‘It will not be easy to implement general policies in multinational companies that are directly applicable in every country in which it operates. It is also very difficult to imagine how the fines and punishments are going to be imposed in each jurisdiction. The risk-based approach that the GDPR establishes needs to include the evaluation of a very peculiar risk: the local jurisdiction risk.’
But with any major regulatory overhaul, it’s the uncertainty and ambiguity that will kill you. ‘The GDPR was promulgated with the best of intentions, but we have yet to find out what road it will lead us down,’ says Kuan Hon, a director in the privacy, security and information group at Fieldfisher. ‘It’s much more prescriptive than current laws. This raises the risk that it may cause some shift in focus, away from respecting fundamental privacy principles and towards bureaucratic box-ticking. Also, its prescriptiveness means it may fail to be technology neutral or future proof. It will be important to ensure the myths and misinformation are displaced by proper education.’
Chris Crowe