In the run up to May 2018 the data protection world predicted a shift with statements such as ‘personal must be respected or the fines will come’.
So, what has actually changed since pre-May 2018? In terms of regulation you might be hard pressed to spot any real tangible and practical impacts of the new regulation, after all the old Data Protection Act (1998) was pretty good legislation.
It had its issues but these may have been due to two shortfalls:
- The old legislation had no teeth.
- The default position was, prove you were compliant after an issue
The old legislation had no teeth.
Under DPA (2018) and GDPR the regulator has the power to investigate and issue advisory notes, warnings and sanctions such as halting a particular processing activity, but this has not changed since DPA (1998). There is a significant change in the sanctions that can be applied though and anyone who has even heard of GDPR knows that the level of fines have increased.
The question then is, will the fines happen and what is the impact they do? The first part of that question was answered in January 2019 when Google were fined 50 m euros. The impact of this fine on Google of this fine would be limited, it is simply nowhere near close to the maximum they could have been fined, although I trust that the French regulator hudged it adequate.
What does 4% of gross annual turnover actually mean to big business and is it enough of a deterrent?
A maximum fine on Tesco’s turnover of £57bn in 2018 would equate to a £2.2bn fine. This is significantly more than the old £500,000, more that the €20m often quoted in May 2018, and even more than the same years reported annual profit of almost 1.3bn. In fact, a maximum fine for Tesco would wipe out the previous three years annual profit.
So yes, it seems the new legislation might have some teeth. The point is though, that these fines are significant enough to ensure that large business now must take data protection seriously because the financial impact of the data protection risk is sufficient to make it on to the operation risk log which reaches the board.
The default position
But should the business act because of the threat of fines, or should they have respect for their customers data? The GDPR has an answer to this in one of it’s articles ‘Data protection by design and by default”.
Data protection by design. . . .
“Quality is never an accident. It is always the result of intelligent effort.”John Ruskin
and by default . . . .
“Quality means doing it right when no one is looking”.Henry Ford
One thing which has clearly changed as a result of GDPR are the principles to which all organisation should manage data by. The principles of the old data protect act remain within GDPR, even if in a slightly different form, but what the GDPR introduced was the principle of ACCOUNTABILITY. Put simply, the accountability principle makes it necessary for the organisation to be able to evidence that they are meeting the principles set out.
Therefore, the default position has changed, no longer should you prove you WERE adhering to the principles, now you need to prove you ARE adhering to them. A few letters in a sentence can make a lot of difference to how an organisation needs to operate. Now, regardless of your organisations size, you need to evidence what personal data you process, why you need it, how long you keep it, where it is to change it (or erase it) etc. You also need to be able to evidence who you share personal data with and in particular the terms under which they can process that data. Sending personal data overseas is not an organisations automatic right, there are safeguards to be put in place, and these need to be evidenced.
The impact of the accountability principle is not answered merely by a ‘data mapping exercise’,
- compliant contracts must be in place
- data sharing agreements are advised
- transfers to third countries cannot take place without demonstrable safeguards
- both policy and procedure needs to be communicated
- you need to evidence that you know how long you keep data (and that you routinely manage this retention and destruction)
- you should train your staff and you will be asked, if you have a data breach
There is also the question of demonstrating that you have considered the risk to personal data before a new process is implemented, this is the fundamental driver for ‘data protection by design’ and building a culture where these assessments always take place makes it ‘data protection by default’.
Clearly the more complex your use of personal data, the more complex the management of it will be, but don’t be mistaken into thinking that small businesses do not need to react. It is true that a guideline is included into GDPR which indicates that all organisations with over 250 employees must be able to show how they process data (Article 30). And that is the point at which many in smaller organisation stop reading with a sigh of relief however, it goes on to say:
- Unless the processing is likely to result in a risk to the data subject
- Unless the processing is not occasional
- Unless the processing includes special categories of data; or
- Unless the processing relates to criminal convictions and offences
That sounds a little like a ‘catch all’ to me, besides how can you demonstrate your accountability of you don’t know where your data is or what it is used for?
Be assured though,
“It is not necessary to change. Survival is not mandatory.”W Edwards Denning
How ProvePrivacy helps:
We identified that a simple set of spreadsheets entitled ‘record of processing activities’ are often not enough and that the problems you find when using spreadsheets include:
- cross referencing contracts to activities is not dynamic, change a contract and you have to change a series of spreadsheets
- demonstrating that contracts are compliant (or even still current) on the ROPA becomes more complex when more than one contract is linked to an activity
- identifying the risks aligned to activities at an organisational level is complex and slow to change
- managing risks relies on yet another spreadsheet or system
- owners of activities may not have access to the final ROPA spreadsheets meaning the ROPA soon becomes out of date.
So we designed ProvePrivacy with a view to eliminate these problems and make the act of demonstrating compliance easier. By giving the activity owner the ability to manage their own activites, the risk is managed where it should be managed, at the point where the issue might arise.
ProvePrivacy places all of compliance with suppliers in one place too, the built in contract assisted assessment means that if you have assessed the contract to be compliant once, a second activity owner is assured that it is compliant also.
The reporting built in allows the DPO to see all risks across the organisation at a glance and do what they are supposed to do, assist the activity owner to resolve the risk.