With less than one year left before the General Data Protection Regulation (GDPR) comes into force in May 2018, the Information Commissioner’s Office (ICO) has embarked on an initiative to correct some public misconceptions about its impact. Elizabeth Denham, the Information Commissioner, recently expressed concern in the ICO blog that ‘not everything you read or hear about the GDPR is true’, and that ‘misinformation is in danger of being considered truth’. This article will discuss how the legal and business press have been reporting GDPR stories, and outline the 12 steps that the ICO recommends organisations should be taking now.
GDPR stories and press releases
Misconceptions in the public understanding of data privacy are nothing new: an instance that many readers will have encountered is the notion that parents must not take photographs of their children at a school sports day ‘for data protection reasons’. In the case of GDPR, one common misconception is that absolutely all data breaches have to be reported; another is that personal data can only be processed with the consent of the data subject, and in no other circumstances. In Denham’s words, however, ‘Myth Number 1’ is that the massive potential fines for non-compliance are the biggest threat that GDPR poses to organisations.
It is true that the GDPR gives data protection authorities the potential to impose large fines, but it is not the whole truth. The GDPR in fact establishes a layered penalty regime which allows authorities to impose fines for some infringements of up to 4% of annual worldwide turnover or €20m (whichever is higher), and up to 2% or €10m for others. In each case, factors such as the nature, duration and severity of the infringement are to be taken into account.
Carefully qualified headlines, however, do not sell newspapers. Nor do they help sell IT solutions that promise GDPR compliance, management consultancy services for GDPR-readiness programmes – or, for that matter, legal advice on preparing for the GDPR deadline. That is why law firms continue to push out press releases and know-how under headings like ‘Act now to avoid multimillion-pound penalties under tough new EU data laws.’ As Denham observes, ‘Focusing on big fines makes for great headlines, but thinking that GDPR is about crippling financial punishment misses the point… it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.’
In fact, issuing fines is generally a last resort for the ICO; there are several other measures at their disposal. Out of 17,300 cases concluded by the ICO in 2016/17, only 16 resulted in fines; and the maximum £500,000 fine provided for under the Data Protection Act 1998 (DPA) has never been invoked. This approach is unlikely to change just because the DPA is going to be replaced by the GDPR.
Practical steps to take now
Of course, organisations cannot just ignore the May 2018 deadline – action needs to be taken – but the ICO recognises that achieving full compliance is problematic. They also recognise that for many organisations, the scale and complexity of the task are intimidating. The sheer volume of guidance is itself challenging.
There are some potential ‘quick wins’. Data mapping tools are available to help companies identify and document what personal data they hold, and where, and who has access to it. Data centre companies are offering new solutions with stronger assurances about information security, to help meet the more onerous demands that GDPR imposes. Other tools are available to assist legal advisers in building up a picture about the compliance status of an organisation. (My own firm has a tool called Asimuth, which takes the user through a series of modules and generates recommendations in response to the user’s yes/no responses.)
The ICO itself has issued a high-level checklist of its own, entitled Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now, last updated in May 2017. The main body of the document runs to nine pages, and provides links to more detailed guidance from the ICO or other sources. It is a helpful starting point if your GDPR-readiness programme is still in its early stages, or if you have limited resources and need to decide what to prioritise.
The 12 steps themselves can be summarised as follows:
Awareness. Ensure that key people in your organisation know about GDPR, and understand its likely impact.
Data mapping. Ascertain and document what personal data you hold, where it came from and who you share it with.
Privacy information. Review current privacy notices, and establish a plan
for updating them ahead of the May 2018 deadline.
Data subject rights. Ensure that procedures are in place to address the new rights that individuals have under the GDPR, such as the ‘right to be forgotten’ and the right to demand a copy of the personal data that you hold.
Subject access requests. Update existing subject access request procedures to accommodate the new timescales and provide any additional information that GDPR requires.
Lawful basis for processing. Establish the ‘lawful basis’ for any processing that you undertake (from the six lawful bases listed in the GDPR), and reflect this appropriately in your privacy notices.
Consent requirements. Review how you seek, record and manage consents from data subjects, consider whether you need to make any changes, and refresh existing consents now if they do not meet the GDPR standards.
Children. Consider whether you need to put systems in place to verify
the age of data subjects, and to obtain parental or guardian consent for
Data breaches. Check that your organisation has suitable procedures in place to detect, report and investigate data breaches.
‘Data protection by design’ and data protection impact assessments. Familiarise yourself with the ICO code of practice and other guidance on impact assessments, and consider how to implement them in your organisation.
Data protection officers. Consider whether you are formally required to designate a data protection officer, but in any case ensure that someone within your organisation has clear responsibility for data protection compliance.
International. If your organisation operates in more than one EU member state, determine which country’s data protection supervisory authority will be your lead authority. (It might not be the ICO.)
Headlines about potential fines raise the profile of GDPR generally, and in that sense they serve a useful purpose. However, the supervisory authorities recognise the challenges that GDPR presents to business, and accepts that it will be difficult to achieve full compliance by the May 2018 deadline – if ‘full compliance’ is achievable at all.
Rather than focus on the potential fines, organisations should concentrate on putting a coherent GDPR-readiness programme in place, and pursuing it as diligently as they can. As long as the organisation does that, then the risk of being landed with a big fine in the first couple of years seems remote.