The General Data Protection Regulation (GDPR) replace the previous Data Protection Act and considerably tightens up the rules on privacy and consent.
In the first of a series of articles on GDPR, Martyn Jansen, Contracts and Legal Compliance Manager for Eduserv, explains why compliance with GDPR – although not fully required until 2018 – should be very much on the CIOs agenda now.
Firstly, we all need to accept that GDPR is the right thing to do
Currently, when you speak to CIOs you will find that compliance with GDPR is low down on their priority list. Instead, they are focused on transforming operations and also securing systems to help support new digital ways of working.
In some ways this is understandable. It’s also a mistake, and it’s because the industry as a whole has been guilty of talking about GDPR only in a negative way. GDPR is being seen as a burden that has to be dealt with under sufferance, and only because you might get a larger fine if you don’t comply. This is the wrong way to look at things. GDPR needs to be far higher on leadership agendas simply because it is the right and proper thing to do – and could even make organisations more competitive.
Let me explain. At its heart, GDPR is designed to considerably increase individuals’ rights on personal data, particularly with regard to:
- the need for organisations to have consent or one of five other specific legitimate reasons to hold and process individuals’ data, including all legacy data (see ICO guidance on consent and lawfulness of processing conditions)
- the right of individuals to be forgotten
- the right of individuals to make subject access requests at any time
- the need to protect data and privacy more effectively via processes of encryption pseudonymisation
“The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information. Citizens want the benefits of these digital services but they want privacy rights and strong protections too. Having sound, well-formulated and properly enforced data protection safeguards help mitigate risks and inspire public trust and confidence in how their information is handled by business, third sector organisations, the state and public service.”
In line with this thinking, organisations need to see GDPR as an opportunity and grasp it as such. GDPR will make organisations much more efficient in the way they manage, process and protect personal data. It could also help them use data more profitably for their own ends. Indeed, if organisations say they are intent on ‘transforming’ for a digital data-driven age, GDPR can be a cornerstone of that effort.
Time really is short
There is no doubt that organisations should be getting on with assessing their GDPR readiness now. Take the issue of consent. The current consensus is that in-house IT departments are facing a huge task auditing legacy data to find out where it all is, identify where consent was granted correctly, and delete records where it wasn’t or where new consent can’t be obtained. In some cases, they will find that some of those records can’t be deleted – for reasons of financial regulatory compliance, for example. In these cases, GDPR recommends that they will need to pseudonymise or anonymise that data to be compliant. These are time consuming processes, and the time to start is now.
Budgets might be limited, which means proper risk assessments need to be carried out to ensure spending is proportionate to risk
Although GDPR is going to be good for business in the long run, there’s no getting way from the fact that it has a cost, which is another of the major reasons why some organisations are reluctant to prioritise GDPR right now. This is true especially of local authorities and charities where budgets are particularly tight. However, GDPR is still a cost that’s going to have to be borne at some point and the smartest organisations are the ones that will be doing their risk assessments and their legacy data audits now. This will enable them to work out exactly what their exposure is, how they can make sure their spending is properly proportionate to the risk they face and as cost effective as possible. For example, if organisations find they need to invest in ways to pseudonymise or anonymise data, they will have time to work out how to do it for a cost that’s manageable. The process of
However, GDPR is still a cost that’s going to have to be borne at some point and the smartest organisations are the ones that will be doing their risk assessments and their legacy data audits now. This will enable them to work out exactly what their exposure is, how they can make sure their spending is properly proportionate to the risk they face and as cost effective as possible. For example, if organisations find they need to invest in ways to pseudonymise or anonymise data, they will have time to work out how to do it for a cost that’s manageable. The process of pseudonymisation or anonymisation won’t be cheap, but you’re more likely to find a cost effective way of doing it if you’re not doing it at the last minute in 2018.
You’re going to need to change the way you work with IT suppliers too
Another good reason why GDPR should be a matter of some urgency, particularly for CIOs, is because it’s also going affect your relationship with IT suppliers.
This is because by enhancing the rights of data subjects, GDPR not only increases the responsibilities for data ‘controllers’ (i.e. your organisation), but also for data processors (i.e. your IT service provider or public cloud provider).
Prior to GDPR, a service provider was required to process data only in accordance with the customer’s requirements. That means your service provider didn’t need to know about the characteristics of the data involved. Under GDPR, however, both controllers and processors are under a similar duty to ensure that the regulations are properly implemented.
In this new world, you will need to notify all IT suppliers that all consents have been obtained, even for legacy data. Suppliers, on the other hand, will need to tell you about the operational measures they implement to protect privacy, so you can indeed make sure consent is fully informed. In other words, you’re going to need to create a new and workable consents process between you and your supplier, which is also likely to mean that contracts will need to be reviewed and changes will probably need to be made so that both parties comply with the regulations. If you haven’t thought about doing this already, it may be worth bringing it forward before serious work is undertaken without either party knowing what their true responsibilities are.
So overall, while 2018 may seem a while off right now, it’s actually a very short deadline that doesn’t leave much time to address all the considerations you need to think about. Organisations need to think positively, and start planning for the change now.
More on GDPR
Eduserv and GDPR
Eduserv provides a comprehensive range of cloud, digital development, data and cyber security services for the public sector and charities across the UK. We have in-depth knowledge of the way organisations need to manage and protect personal data in all these contexts and are actively helping our customers to prepare for GDPR compliance. For more information get in touch with Martyn Jansen at Martyn.Jansen@eduserv.org.uk or 01225 474 336.