The impact of GDPR and the key challenges for organisations operating in the international arena
GoodCorporation’s data protection debate was opened by Amanda Williams, Director of Strategic Policy (Parliamentary and Government Affairs) at the Information Commissioner’s Office (ICO). Amanda reviewed the steps taken by the ICO in preparing for GDPR, the experience to date since implementation and shared thoughts for the future.
Preparation
In the run-up to GDPR, the ICO set out to help businesses prepare, providing guidance and dispelling myths. The change was felt to be evolutionary rather than revolutionary as the new requirements are built on the core principles of data privacy which were fundamental to the Data Protection Act.
To add further clarity, the ICO published its regulatory action plan, aiming to take a fair and proportionate risk-based approach as a regulator.
Experience to date
Since GDPR came into force, the number of data privacy complaints has increased significantly, indicating that consumer awareness of their rights over their personal information is far higher than previously. Complaints are up to 100 per cent higher than the previous year.
The ICO expects the awareness of data subjects’ rights over their data to remain high and as a consequence, they are anticipating that the number of complaints will continue to grow. In particular subject access requests are likely to continue at the high levels seen over the last 10 months.
Action taken
Across Europe, companies have already been fined under the GDPR, the largest and most significant being Google’s €50 million penalty, issued by France’s data regulator the Commission Nationale de l’Informatique et des Libertés (CNIL).
In the UK, the ICO has been dealing with breaches committed under the old regime and although there have been no fines yet under GDPR, 900 notices of enforcement action have been issued, the most high-profile being against Canadian data analytics company AggregateIQ.
To deal with this increased activity, the ICO has grown significantly, almost doubling in size from 350/400 people to nearly 700, with plans to grow to 800 over the next 18 months. A team of international experts is also being built to reflect the fact that data flows do not stop at international borders.
The future
GDPR cannot be considered as a completed task. Businesses have an on-going responsibility for the way in which they handle personal information and remain accountable to data subjects for this.
Consumers are wary about sharing their data due to a lack of trust. However, research suggests that where an organisation is trusted, willingness to provide data raises considerably. In a world where data is of significant value, this can present a huge competitive advantage for those organisations that can successfully build that trust.
With regards Brexit, deal or no deal, data flows are expected to continue. The UK Government is committed to bringing GDPR into UK law and would expect to obtain a recognition of adequacy should we leave without a deal, but the timing of the adequacy recognition is not clear.
The ICO remains of the view that good data protection enables rather than curtails business, bringing with it some significant benefits. Those organisations striving to get data protection right will be supported.
GoodCorporation posed the question, since GDPR, have data protection challenges increased or decreased? The vast majority felt the challenges have increased.
Below is a summary of the key points raised: –
- GDPR has not created a single regulatory framework due to the many derogations that are being implemented in different EU countries. As such, international businesses are required to operate multiple policies and compliance regimes which presents huge challenges, even for those who want to comply. This is particularly problematic for those organisations managing healthcare data as some jurisdictions have implemented laws that allow the processing of health data and others have not.
- Some businesses feel they have built strong systems that comply with the high standards of GDPR data protection but are struggling to monitor effectiveness in a global organisation.
- Resourcing is potentially problematic. GDPR compliance is demanding yet there are finite resources to implement it. Businesses noted that implementation may take time as businesses have increasing obligations to fulfil.
- Small companies in particular will find compliance a challenge as they do not have the resources to build the systems needed. This is exacerbated by the uncertainty of Brexit. Some companies are attempting to plan for multiple Brexit scenarios, so more guidance from the ICO about what steps to take would be welcome.
- Complaints were made about data processors who are perceived to be unwilling to engage properly with the new regulatory requirements and are resisting requests to comply. Some are even perceived to be building systems that they know are non-compliant with an apparent disregard for the new rules. More pressure or guidance from regulators on how to manage this would be welcome.
- Identifying and managing data controllers effectively can require substantial levels of granularity which adds to the compliance challenge.
- In the charity sector there is a perceived gap between what is required and what is being done, with some refusing to engage with the requirements if they see others ‘getting away with it’.
- While GDPR has introduced a greater awareness of good data protection, it has also increased concerns within businesses generating an element of fear about whether or not it is being done properly.
- Some businesses have concerns around a possible conflict between privacy and the prevention of crime/terrorism. This needs to be managed through a coordinated international approach between regulators and investigators.
- Where there is board recognition of the business benefits of carefully managing the personal data held, success can be achieved. Offering customers across the globe the same rights regarding their data is seen by some as a significant business advantage. Others are wary of being able to implement such policies in jurisdictions where human rights issues are given less prominence.
- Marrying compliance with culture will be critical to the successful implementation of GDPR. Effective compliance can be driven by a strong corporate culture.
- Legislation needs to keep pace with technology, including artificial intelligence. It was also noted that there has been no guidance on or changes to PECR, businesses would welcome such guidance.
The GoodCorporation view
GDPR has introduced real accountability for good data protection and this is something that businesses need to embrace at the highest level. Corporate culture will be vital to effective compliance. Data protection needs to be understood as the right thing to do with effective systems put in place wherever personal data is processed by the organisation. Appropriate staff training is also required to ensure that the obligations are shared and understood.
Boards should be seeking assurances that their companies have reviewed their policies and procedures, that appropriate risk assessments have been conducted and the necessary mitigation measures put in place. Tools such as GoodCorporation’s Data Protection Framework can be used to assist with this. Data protection is already being considered as more than just a compliance issue, it is an indicator of how an organisation conducts its business. It also has a real business benefit as organisations that are trusted with personal data can secure a competitive advantage.