GDPR: Data protection as a collaborative process
Fri 3 Nov 2017
With General Data Protection Regulation (GDPR) just around the corner, businesses are eager to align their data protection strategies and do what they can to avoid the hefty fines associated with non-compliance.
To be fully enforced from May 2018, the GDPR will mark the biggest ever shake-up in the data protection landscape and organisations, whether from retail, hospitality, professional services, non-profit, IT or public sector, are familiarising themselves with its caveats and reaching out to industry partners for support in developing effective data protection programmes.
“Whether we see the GDPR as a blessing or a threat – or something in between – it is not only wise but a necessity to pay attention to what this ambitious new framework is trying to achieve and has already delivered,” writes Eduardo Ustaran, partner and European head of data protection law at Hogan Lovells, in a blog post.
In 2016 almost three-quarters of all UK businesses reported a security breach
“New responsibilities like data protection by design, data protection by default, record keeping obligations, data protection impact assessments and prior consultation with data protection authorities in high-risk cases will require managerial effort and investment. Many of these obligations are entirely new, so for the majority of businesses this will involve a substantial learning curve,” he added.
With such a widespread regulatory change, many misconceptions are bound to surface. While awareness continues to grow among organisations, it is crucial to fill any holes in understanding and build sound data protection strategies.
All industries are under threat from cyber attacks and data loss. In fact, in 2016, almost three-quarters of all UK businesses reported a security breach. Despite this, there remains a common belief that some industries are more secure than others.
Take the finance sector for example – according to a recent report by consulting group Capgemini, which surveyed 180 data privacy professionals around the globe, less than a third were able to say that they had adequate data privacy measures or a solid security model in place. Just 21% responded that they would be able to effectively detect a cybersecurity breach.
These figures are in stark contrast to the response of the customer. 83% of the 7,600 customers surveyed suggested that they trust financial services companies with their data, and only 3% responded that they believe their bank has been a victim of an attack.
The public sector, seen to be largely trusted by citizens, is also littered with data protection faux pas. The Information Commissioner’s Office (ICO) surveyed 173 councils in an investigation which revealed that more than 15% of councils do not have any data protection training for employees working with personal data. The study also found that a third do not carry out privacy impact assessments (PIAs), as required under the GDPR.
On the release of the review, it was reported that the ICO had fined Norfolk Council £60,000 for a data breach which saw a member of public discover sensitive social work files inside a filing cabinet at a second-hand shop.
Whatever the profession, across the private or public sector, organisations need to be aware of the importance of securing data and the harmful impact of lax data protection, both in terms of financial and reputational damage.
Brexit & The Data Protection Bill
Despite the vote to leave the European Union, businesses based in the UK are still subject to EU laws until further notice and must, therefore, work towards compliance. Even if the legislation is repealed, the GDPR will still apply to all businesses working within the EU and with EU data.
In June of this year, it was revealed that the GDPR would be brought into UK law to ensure that the country’s data protection framework is ‘suitable for our new digital age, allowing citizens to better control their data.’
While providers have a duty to ensure data is kept secure and readily available, liability must also lie with the organisation that owns the data
To this effect, the UK government has introduced a new UK Data Protection Bill to replace the 1998 Data Protection Act (DPA). The legislation mirrors the GDPR and aims to enable a free-flow of data with the EU post-Brexit.
“In or out of the EU, it doesn’t really matter. We put ourselves in the same position as U.S. companies at the moment. They’re going to have to apply the regulation, we’re going to have to apply the regulation,” commented Rob Sheldon, a partner at law firm Fielderfish.
“I wouldn’t really advocate putting GDPR compliance off. We’re going to end up with a regulation that looks very similar to this; just to enable us to trade with the EU easily and efficiently,” he added.
Further confusion lies around data controllers holding data processing agreements with the data processor. The upcoming GDPR stipulates that data processing agreements are vital for the controller and processor relationship, binding both parties to specific terms.
Building a strong relationship between controller and processor can also help businesses to better understand where data is stored and their responsibilities along the supply chain.
According to a recent report, almost 70% of organisations still wrongfully believe data protection, data privacy and compliance to be the responsibility of their cloud service provider. While providers have a duty to ensure data is kept secure and readily available, liability must also lie with the organisation that owns that data.
Overall, as we approach the new GDPR legislation, data protection, privacy and security need to be seen as a collaborative process with everyone asking questions of each other in order to conduct effective due diligence, to mitigate risk and ensure maximum efficiency for data protection investments.