The countdown clock on Morrison & Foerster's EU General Data Protection Regulation (GDPR) readiness client hub tells me that (as at the time of writing) we have less than 10 months until the GDPR comes into effect on 25 May 2018. Our experience is that, in general, US-headquartered companies have been getting into gear for GDPR for many months, while many EU-based organisations are only now revving the GDPR engines. GDPR readiness is often portrayed as a mammoth task; many organisations are only too aware of the potential sanctions (€20 million or 4% of annual turnover) and against that rather severe backdrop, compliance teams face the unenviable task of working out "where do we start"? In this article, we set out a roadmap for CIOs involved in GDPR preparations.
What is GDPR and is anything really changing?
The GDPR is a comprehensive data protection regulation that replaces the current EU data protection directive and (in part) the UK Data Protection Act. It imposes more uniform requirements across the EU. At its core is accountability and transparency; being clear with individuals about how their data is used and putting high standards of data protection at the heart of how we do business. The UK Information Commissioner's Office (ICO) views the GDPR as a means of increasing data trust and confidence among the UK public.
Many of the concepts under the current data protection regime remain unchanged, and the ICO's view is that companies which are compliant with the current regime have a "strong starting point" to build from. But there are important new elements and some things will need to be done differently. Apart from the increased enforcement powers described above, the GDPR regime will make it more difficult for business to rely on an individual's consent as a lawful basis for storing, transferring or otherwise processing their personal data. This is particularly true in the employment context. More emphasis is placed on data record-keeping, data retention, data security and impact assessments - and that will replace the requirement for data controllers to register with the ICO. Moreover, the GDPR requires compliance not just from EU-based data controllers and processors but also by organisations based outside the EU which offer goods or services to UK-based consumers or which monitor behaviour of individuals in the EU.
Individual rights to access information remain (subject to some changes, particularly in response times), but there is a new right to data portability, object to profiling (e.g. the use of personal data to predict behaviours). The renowned "right to be forgotten" also features.
When do new GDPR regulations come into place?
The GDPR comes into force on 25 May 2018 without the need for national legislation. The UK government will table a new UK Data Protection Bill to reflect GDPR requirements and take us through Brexit in March 2019. The new regime will be here to stay - the UK regime needs to be as robust as possible if we are to retain the ability to share data with other EU member states (and internationally) after Brexit.
Why do we need the GDPR?
The current regime, which dates from the late 1990s, is simply not fit for purpose. The law needs to catch up with the tech explosion and the exponential increase in value of personal information, the way we use it and its importance for business. The ICO regularly releases and updates guidance notes to tackle the issues faced by organisations and individuals about data security and privacy, but this can only go so far. The problem is that the underlying regime doesn't cater for how to deal with large data sets now held by organisations, or with new categories of personal data (such as online identifiers) - and it focuses on data controllers rather than data processors.
If there is one indicator of how the EU views the value of data to organisations these days, it is the severity of the sanctions for breach of the GDPR.
How do we ensure compliance?
The first step is to form a team internally to develop and execute your readiness plan. Many organisations have formed a cross-departmental team (e.g. Legal, Compliance, IT, HR). Others will rely on one department to take the lead (e.g. Legal) with support from other areas of the business as required.
The next step is to create an inventory or record of the data which is currently processed by the organisation. CIOs are likely to be involved in the inventory process - for example by identifying and setting up an inventory tool, and helping to populate it based on what information is part of each application or process, and how information in each process or application is protected. The aim is to confirm what personal data is held (e.g. employee data, consumer data), on what legal basis (e.g. individual's consent, a business need, a legal requirement) and for how long. It should also cover whether the data is shared or transferred outside of the EU.
The inventory will be the central part of the record-keeping systems required by the GDPR. Whilst it is not required, many organisations might also elect to keep a record of the legal basis for the processing. This can make things easier when responding to an individual's subject access request for personal data.
CIOs may also be asked to facilitate the process for identifying what "high risk" data processing is carried out by the business. High risk processing includes profiling and systemic large scale monitoring of publicly accessible areas (e.g. CCTV). Once this type of processing is identified, a mechanism should be designed to flag it for a data protection impact assessment (DPIA) before any processing begins. CIOs should ensure that their teams know to check with relevant business leads that a DPIA has been carried out if they are asked to conduct any high risk processing.
CIOs should ensure that they feed into new procedures for dealing with individual requests to ensure that these can be dealt with efficiently. CIOs should identify the number and scale of subject access requests made in previous years, in order to design a process to handle future requests - and note that timing will be tight: subject access requests and individuals' requests to "port" their personal data to another organisation should normally be handled within a month. The procedures also need to cover how a request for erasure will be dealt with - and in what circumstances third parties (e.g. search engines) will be contacted to delete data.
Data security breach response procedures should be updated. The days of voluntary reporting are gone. As a rule of thumb, breaches must be reported to the ICO within 72 hours, unless the breach does not expose individuals to risk.
EU GDPR verdict
GDPR preparation involves a time-consuming review of data processing activities and policies, but is already helping to embed data privacy within business culture. The idea is that one day soon it will become second nature.