Six months on from the GDPR deadline of 25 May 2018, I still come across many business owners and senior managers who remain confused and bemused about what data protection compliance means in practice. In part, this is because a lot of activity and commentary has focused on aspects of the nitty gritty. From our own experiences we know that understanding three ‘higher level’ points about GDPR really helps organisations set their priorities and processes in a much more proportionate, robust and sustainable way. Let’s look at each in turn.
Evidence of effort
The GDPR regulator in the UK is the Information Commissioner’s Office (the ICO). The ICO does not have a large number of ‘data police’ who will systematically audit each and every organisation. In fact, the ICO staff are stretched currently with investigations into Facebook, Cambridge Analytica, Dixons Carphone Warehouse and BA amongst others.
They are likely only to come knocking if and when a problem has occurred, like a data breach or a cluster of complaints. If they do investigate, they will want answers very quickly about how you have gone about complying with GDPR, whether senior managers are properly involved, how you identified and are dealing with data risks. A bit like that maths test at school, even if the ICO think you got the answer wrong, they will give you credit for ‘showing your workings’.
The big GDPR risks are often not the ‘obvious ones’
The whole issue of ‘marketing consent’ is, by its nature, very visible so it is natural for us all to home in on that aspect. However, it is really important to understand that the ICO expects you to think about information ‘in the round’ and assess risks in that context. Many of those risks can be overlooked unless you think about them explicitly.
What paper records do you keep? Where do you keep them? Are they locked away? How do you track if certain records are taken out of their ‘safe place’? If your customer, payments or employee payroll data is hosted by a third party, what steps have you taken to understand whether they are only processing your data or also have independent control over it? What security arrangements do they have? Where is the data actually hosted? If someone wants to know what information you hold about them, how easy is it for you to retrieve that and how to do you balance disclosing their personal information without compromising the personal information of others? If you haven’t asked these questions of your self and your suppliers then you are unlikely to be able to demonstrate that you take data protection seriously and are compliant.
There are no simple set of rules applicable to all business – it is all about mind set and ‘approach’
We fully understand that many business owners and senior managers simply want a checklist that they need to tick off to ensure compliance. Like it or not, the world of regulation does not work like that any longer. Regulators want the flexibility to change their position on the relative importance of different things – and they are not necessarily being cynical about this; markets, technologies, working practices all change. In addition, not all businesses or organisations are the same.
However, flexibility means they do not get a clear ‘list’ of what is or is not ‘compliant’. Instead, you get guidance on what they want you to look at and the outcome they want you to achieve. In the ICO’s case, to be fair, their website is very good. There are different summary levels and you only dive into detail if you want or need to do so. As mentioned earlier, the ICO are definitely not looking for a ‘tick box’ or ‘template’ approach, however attractive that might appear to you. They want evidence that you take the issue seriously and have worked through things in a way that is relevant to your organisation. Flexibility for the ICO in the way it regulates and enforces the regulations and flexibility for you in the way you comply.
But the flexibility that is afforded by ‘principle based’ or ‘outcomes focused’ regulation also means that some thought and consideration needs to go into, and be evidenced. Flexibility for
One aspect to bear in mind is that GDPR is not the only set of regulations you need to consider when thinking about data. There are also the little mentioned ‘Privacy and Electronic Communications’ Regulations. These are the ones that deal with consent to send marketing communications by text or email. There are also other requirements under legislation like the Companies Act about company information you need on website, email footers etc. Certain regulators in certain sectors also have additional disclosure requirements. All this means that a tailored approach is required and everything needs to link together – processes, contracts, terms of business etc.
To wrap up, and to reassure you, all this does not been you are cut adrift in a world where you will have to spend hours and hours trawling through page after page of legal jargon on the ICO website or have to part with lots of hard earned money instructing advisors. In our experience, businesses who have or are now engaging with GDPR fall into two camps: Those where a couple of hours advisory time is sufficient (whether from us, data consultants or other professionals) to help them assess which areas require action they can take themselves and those where, perhaps because of the nature of current systems or the sector, more intensive work is required but where the benefit is that the job gets done without the risk of eddying and management distraction.
Ultimately, the world did not end or business grind to a halt with the implementation of GDPR. There were no midnight raids by the ICO. But the reality is that data protection legislation and regulations have developed and will continue to develop and every organisation needs to consider what the risks are to them and how best to ensure compliance.