GDPR…Playing Catch-up

The General Data Protection Regulation is a significant compliance hurdle for all but the most mature organisations. It unapologetically adds new complexity on top of the existing Data Protection Act currently in force in the UK and introduces a whole new set of compliance domains on top of it.

One issue we’re seeing in the run up to the implementation of GDPR at the end of May 2018, is that organisations are coming to the slow realisation of the size and scale of remediation required. More so than ever because of the realisation that they are not even compliant to the Data Protection Act as of yet and now there is very much the feeling of ‘playing catch-up’ – catching up to the compliance of the DPA, which GDPR simply adds to and expands on, even before minds can be directed into how to comply with the GDPR.

What are the key changes from the DPA to GDPR? The below list summarises the key ones;

1. Governance & Accountability – in addition to appointing a Data Protection Officer, organisations must ensure they have a suitable operating model and governance structure that fully supports the DPO function. Gone are the days where data privacy can be done in isolation from the business and other risk functions, it must now be an integral cog in the machine. This includes ensuring senior stakeholder accountability is clearly defined and the roles of data management are clearly defined as well as ensuring the justifications for data collection are clearly defined.

2. Consent Collection – increased stringent requirements around consent collection. It must be unambiguously provided by customers, clearly being an affirmative action (e.g. opt-in not just opt-out) and as simply to withdraw consent as it is to provide it (often firm’s make the channels for withdrawal considerably harder for customer retention purposes).

3. Data Portability – a completely new requirement that permits customers to request their data be shared with third parties. If necessary, this must represent the totality of their data (already difficult without single customer records) and must be in an easily understandable and uniform format. With huge amounts of legacy infrastructure and different systems processing the same data, again another considerable technology challenge.

4. DSARs (Data Subject Access Requests) – although not a new requirement, the changes around DSARs (e.g. free service and must be provided within 4 weeks of the request being made) makes this another business challenge. Nobody really knows as yet how many people will fully exercise their rights around this come May 25th 2018. I feel if there is sufficient media coverage in the build up to May next year there may be a significant spike in requests but this should peter out over time.

5. Breach Notification – organisations will soon be required to notify the regulator (and in some instances customers) within a 72hr window of discovering a breach. Exactly what defines a breach, when the clock starts ticking and the feasibility of this time frame is yet to be determined.

6. Transparency – there are significant new requirements around ensuring customers are truly well informed by organisations in how they process they personal data. This includes more thorough privacy notices that no longer are allowed to sit in the back of websites hidden within lengthy and complicated legal statements. They must be simple, concise and easily comprehensible by the layman and presented to the customer during the right times in the custumer journey.

7. Right to be Forgotten – the much publicised ‘Right to Erasure’ will come into effect, essentially allowing customers to request the deletion of their personal data (including third party processors). Although organisations won’t have to bend to a customers every beck and call – they will legitimately be able to hold on to a lot of information for valid reasons (e.g. fraud prevention), this will require more processing capability than already exists in most organisations. Especially considering legacy infrastructure and some systems simply will not even have the ability to delete data!

This state of ‘catching up’ to the DPA even before we start to think about the GDPR has  significant impacts, most obviously for the level of risk and timescales but also, maybe more subtly, impacts on funding and internal stakeholder buy-in.

Firstly, the level of risk and gap of compliance is clearly more for organisations who are still bringing themselves up to the standards of the DPA. This will directly impact the timescales that organisations are able to bring themselves up to speed from a GDPR perspective as attention first is given to fixing the basics (DPA). In most cases where funding isn’t available for these exercises to run in parallel, these organisations will be significantly delayed in both their risk assessment (gap analysis) and the subsequent remediation of the issues found.

The second impact is on funding and internal stakeholder buy-in. For those already responsible for risk mitigation against DPA, will find increasing resistance against requests for funding GDPR remediation, if the gap to DPA is already significant. For one, the size of the request will naturally be much greater and is likely to impact a much greater area of the business. But also, confidence to place a large amount of funding in the hands of those who have already struggled to enact change to meet the DPA, will face an uphill battle to be provisioned the much greater sums of money that will be required for the remediation under GDPR.

What we’re starting to see in organisations who are successfully making this transition is the types of character they are placing in positions of GDPR accountability. They are placing people are not necessarily experts or SMEs in the regulation itself (or even data privacy as a whole) but those with regulatory background and significant experience in enacting change with sufficient clout in the business to perform this autonomously. One of the key crippling factors we have seen restricting buy-in from audit committees and boards, is not a lack of expertise to identify and assess the level of risk, but the expertise in driving change throughout the breadth of the business once the risk is known.