GDPR: the countdown begins

February 2018

Pocketwatch on calendarManish Soni MBCS, IT Professional and Privacy & Cybersecurity lawyer at Macfarlanes LLP, provides some insight into how organisations are preparing for GDPR and how IT professionals can help.

Irrespective of your IT role, you will more likely than not be aware that there is a significant new privacy law coming into effect in May this year called the General Data Protection Regulation or, as more commonly known, the GDPR. Preparation - from the experience of the author - varies widely. Some organisations have been preparing for nearly two years. Not unexpectedly, however, a substantial number of small-to-medium organisations have now turned to GDPR preparations with around six months to go.

Difficulties with the current approach to privacy compliance

The compliance approach under the Data Protection Act (DPA), whilst not exclusively so, has tended to comprise:

  • registration with the UK data protection authority, the Information Commissioner’s Office (ICO);
  • an internal data protection policy;
  • an outward-facing privacy notice;
  • some organisational training and awareness;
  • a legal function (possibly with external assistance) to manage data protection in contracts; and
  • the existence of an information security function.

This approach is heavily geared towards superficial or ‘paper-shield’ compliance with the DPA. The idea being that, outwardly, organisations would have the right mechanisms in place to control privacy risks under the DPA. In reality, it appears privacy has not necessarily been ingrained into business practices. This makes sense, as organisations have their own businesses (or not-for-profit organisations) to run and privacy, in itself, will not generate any income. Unless an organisation is under particular scrutiny by virtue of its industry sector (such as a big tech giant or an organisation having suffered a cybersecurity breach and so on the ICO’s ‘radar’), privacy efforts have, in some cases, become considered purposeless ventures.

It is also worth pointing out that organisations in the IT industry, especially where there are relationships with the USA in some form, have misinterpreted the terms ‘PII’ (personally identifiable information) and the European definition of ‘personal data’ since they both concern personal information. They are very similar (especially if one considers National Institute of Standards and Technology (NIST) guidance - i.e. non-legal - definitions of ‘PII’). However, the GDPR definition (as under the DPA) is interpreted much more widely and includes, for example, IP addresses, which would unlikely be considered PII in practice.

A paradigm shift under the GDPR?

Under the GDPR the data protection principles (like ‘transparency’, ‘purpose limitation’ and ‘integrity and confidentiality’) are almost identical to those under the current regime but for the addition of a new principle of accountability. This is important to appreciate as it heavily impacts the approach to GDPR compliance. The key aspect of this new principle is that it demands that organisations are responsible for and able to demonstrate compliance with the data protection principles.

The accountability principle, taken together with the significant uplift in fines (moving from £500,000 to the greater of €20m / four per cent of global worldwide turnover) mean that many organisations need to look at implementing a compliance programme.

In practice, one of the consequences of this new accountability obligation is that organisations are facing some difficulties in addressing the change in approach from the current DPA and the GDPR. Whilst organisations initially, upon commencing GDPR compliance initiatives, have instinctively pushed to simply ‘update the policies and contracts’ (following the methodology described above) to make them GDPR-compliant, this has noticeably turned into a realisation, on the ground, that a more strategic approach is needed to manage the more overt risks in failing to deal with privacy at a more granular level.

A good GDPR compliance programme

Whilst detailed discussions around suitable compliance programmes are beyond the scope of this article, the features would typically incorporate: creating an organisational privacy vision; formulating a privacy strategy; establishing an appropriate privacy governance model; structuring a privacy team; and constructing a privacy framework (implementing the privacy strategy).

What can IT professionals do to help?

There are several areas from the author’s experience where IT professionals could usefully apply their skills to assist with GDPR compliance efforts. Some standout areas include:

Privacy notices
The GDPR text itself, as well as EU guidance issued in this area (most recently published in December 2017) has repeatedly stated that public websites must have a privacy notice that is ‘concise, transparent, intelligible and easily accessible.” ‘Layered’ privacy notices appear to have become popular, whereby hyperlinks are inserted into webpages directing to other webpages with ‘drill-down’ information or, in some cases, ‘drop-down’ expansion with a click or hover-over. However, there is little innovation in making such policies easier to read or understand. Innovations might include:

  • the ability to ask natural language questions in relation to what is contained in a policy (all the more important now since these policies are becoming much longer);
  • improved contextual analysis of privacy notices that could help highlight key points, including on different types of devices (including mobile and IoT);
  • given the substantial amount of categorisation of privacy information to be provided to data subjects, and the different forms and potentially languages, this could be amenable to the appropriate application of XML and XSL technologies. 

Consent and explicit consent
Consent requirements under the GDPR are more onerous and, for example, will require consent to be lifted out of terms of business. Innovation would likely be welcomed as to how to present such consent in a way that is easy to administer. Additionally, increased usage and an improvement of privacy dashboards would be welcomed as an excellent way to usefully manage all privacy settings in one place.

‘Explicit consent’ (which is typically required for ‘sensitive data processing’) is complicated and requires consent in writing. However, this can be done electronically with digital signatures. Privacy tools to achieve this seamlessly would be useful.

Personal data breach responsiveness and preparation
Organisations will need to more closely align or even integrate privacy risk assessments with information security practices. This would prevent unnecessary drain on organisational resources by duplication of similar efforts.  Many BCS members will be adept at analysing and classifying information security risk. Whilst analysing ‘privacy risk’ is not the same thing, alignment between the process for handling ‘security incidents’ and ‘personal data breaches’ (the latter being specific GDPR language, defined under Article 4(12) GDPR) is required. Additionally, members could usefully help reduce an organisation’s exposure to risk under the GDPR by bridging this divide with suitable privacy knowledge.

Upskilling to get ‘privacy qualified’
Following on from the last point, more BCS members could usefully push to get upskilled on privacy. There are some great courses available, including at the BCS, which can help here.

In-house tools to assist in compliance
The record-keeping obligation for personal data processing activities under the GDPR is a difficult one.  Whilst some organisations are purchasing software tools from vendors, these are not bespoke. BCS members would be well-placed to help develop or tailor existing software to provide well-serving functionality to help record and maintain logs of compliance efforts. 

Software development processes
It is now necessary to adopt a ‘privacy by design and by default’ approach in systems development life cycle’s (SDLC) that will appropriately capture and apply controls on privacy risk. This may entail conducting a ‘data protection impact assessment’. As well as amounting to a form of official documented risk assessment under the GDPR, this also serves to provide an opportunity to highlight potential issues with software before they really become an issue when software is rolled out. BCS members, especially with some privacy training, would be well placed to know where such privacy risks might arise and how they could best be mitigated.

Get the approach right

With less than five months to go until GDPR will be enforceable, more than ever, it is important to get the approach right. Inherent in doing this, is making sure that organisations appreciate the new GDPR principle of ‘accountability’. Getting a compliance programme implemented, in a way that aligns to business needs, is a suggested approach to reduce the risk of falling foul to the legislation.

Finally, GDPR compliance efforts could usefully be boosted by BCS members in various ways, such as through innovation and upskilling in privacy, which would in turn provide increased value to organisations served, as well as potentially to members themselves.

Image: iStock.com/Kiddy0265