How to avoid some common mistakes with the GDPR
Julian Roberts, EssentialSkillz, CEO, London, 27 November 2017
July’s Cyber Governance Health Check Report 2017 revealed that only 6% of FTSE 350 companies are properly prepared for the European Union's General Data Protection Regulation. Julian Roberts, the CEO of EssentialSkillz, an eLearning and compliance software firm, shares his views about the preparations that businesses can make in good time for next May’s changes.
All businesses in the UK ought to adhere to the EU’s updated data protection law when it comes to data they hold and the ways in which they use it. The deadline date is 25 May. This may seem like plenty of time to prepare, but it is such a complicated topic and the potential penalties are so hefty that it is important to act now – especially when it comes to training all employees. If businesses fail to comply, they face potentially fatal penalties of up to 4% of their global annual turnover or £17 million. The health check report is to be found at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/635605/tracker-report-2017_v6.pdf
If a company handles personal data and is based in the EU, the GDPR applies. If the company is located outside the EU but undertakes any form of trade with customers inside the EU, the GDPR will apply to it if it stores, processes or shares EU citizens’ personal data.
The ICO (Information Commissioner’s Office) has devised a set of 12 steps to help organisations prepare for the changes, which is a useful checklist for those requiring the basic information on GDPR and how to prepare. It can be found at https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Once you know that your organisation has to obey the GDPR and you know the basic requirements, what next? There are some obvious hurdles over which companies tend to stumble, but there is no need to panic – the solutions to them are often quick and simple.
Lack of awareness about basic data protection
According to the accountancy and advisory firm of Moore Stephens, “Organisations need to ensure that they fully understand GDPR so that they effectively identify what is required for the organisation to comply. The common theme that we are seeing is a significant lack of awareness of the regulation and this is throughout the organisation from top to bottom. Very often, the lack of awareness is not just related to the incoming GDPR but, more worryingly, concerns the basic data protection principles that the organisation should be on top of and fully compliant with already.
“Our experience to date has suggested that there are major underlying issues within organisations of all sizes in respect of them being a long way away from complying with the current regulation, let alone thinking about what the GDPR will be asking of the organisation. In this scenario, it suggests a lack of knowledge and resource within an organisation to address any data protection issues and it would be recommended that a third party should be engaged to make organisations aware of what is fully required under GDPR and to assist them on the GDPR journey to guide the organisation through to compliance before the enforcement date in May 2018.”
In a recent webinar held in October, EssentialSkillz polled more than 100 decision makers who were responsible for GDPR compliance at their firms, asking them questions about their training policies.
- Only 21% of organisations had started to train people to deal with the GDPR.
- 40% had tackled basic cyber security training.
- However, 82% had distributed guidelines to govern their employees' use of social media.
Our customer base fits a similar profile. The recent hacking attacks on the National Health Service and the impending threat of stiff penalties for non-compliance with the GDPR are forcing organisations to take cyber security much more seriously. If they have not mastered the basics, there will be trouble. It is imperative for everyone at every company to understand the basic principles of the regulation, while people who handle data directly require more extensive training.
Know your responsibilities!
While it may seem obvious to some, being aware of the way that personal data is classified is the first action to take when determining a company’s responsibilities. Personal data is any data that can be used to identify the person, such as a name, ID number, location, IP addresses etc. Any personal data a company holds should have appropriate and explicit consent given by the owner for the desired use. The consent must be informed, specific and unambiguous.
The GDPR contains some data processing principles. These include a new accountability principle for data controllers and processers which obliges them to demonstrate compliance. They are to be found in article 5 and dictate the following.
- Lawfulness, fairness and transparency. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Purpose limitation. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy. Personal data shall be accurate and, where necessary, kept up to date.
- Storage limitation. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Integrity and confidentiality. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Accountability. The controller shall be responsible for, and be able to demonstrate compliance with the GDPR.
Anyone handling data about EU citizens is either:
- a controller – a person, public authority, agency or business that determines the purposes and manner for processing data; or
- a processor – a person, agency or public authority or company processing data either solely or through third parties on behalf of a controller.
Some decisions can be made automatically – it should be immediately apparent if someone is holding data at a firm, but it takes more time to tell staff members about the responsibilities of their company and to set clear guidelines and goals for each team. It is important for the person who trains staff to place a mantle of responsibility on each employee, as anyone who works with personal data of any kind needs to be compliant with the changes coming into effect. Another poll reflected this, with 73% of organisations preparing everyone for GDPR, however 27% still had a view that responsibility was siloed in the IT, finance or legal departments.
Understanding individuals’ rights
The owner of the data has the right to obtain information from the data controller. He also has the right to know how and where his information is being used. If he wants to know more, the company must be prepared to provide it free of charge. Individuals will have more comprehensive rights than ever before to:
- gain access to information;
- have inaccuracies corrected;
- have information erased;
- prevent direct marketing;
- prevent automated decision making and profiling;
- carry their data about.
If a firm that acts as a data controller or data processor infringes their rights, they can take legal action against it. Now that class action cases are possible in the laws not only of the UK but also of France and Germany, they can club together to issue a writ against it as well.
The team that controls the data ought to understand the process of supplying personal data back to the individual. Equally, when obtaining personal data, the firm should review its privacy policies to ensure that they are more thorough when the regulation comes into force. On top of the GDPR, the UK's Freedom of Information Act places additional burdens of disclosure on public sector organisations and employees in these institutions will again require additional training.
The GDPR is a complicated subject that might seem daunting, but with the right training under their belts, organisations can move a long way towards compliance.
* EssentialSkillz can be reached in the UK on 01908 904400 and in the US on 1-844-346-8646