The coming into force of the General Data Protection Regulation (GDPR) is the most significant development in UK data protection law since the 1998 Act itself. Renowned data protection expert Rosemary Jay, author of Guide to the General Data Protection Regulation, answered our questions about the key challenges posed by the GDPR.
What are the biggest challenges in complying with the GDPR?
That will partly depend on the type of organisation. A bank will face different challenges to a healthcare provider. The things which will require change from all data controllers are the strict security breach notification rules, the focus on data protection by design, data minimization and the new individual rights.
Are any particular sectors disproportionately exposed?
It will affect all businesses. Every organisation needs to be preparing itself. SMEs generally may not be as well prepared as large businesses which are running compliance programmes. If you look at the ICO figures it appears that the sectors which are at the highest risk of security breaches, or data loss – because if they are data-rich any data loss will be correspondingly serious – tend to be public sector bodies, often in healthcare. However, that may reflect the fact that the public sector has an existing reporting obligation for security breaches. GDPR will gradually expose wider business’ weaknesses, possibly in different sectors, as the reporting obligation bites, but it won’t do it all at once. We may see a different breach pattern once we’ve had the security breach notification rules in force for two or three years.
What does a successful data protection compliance programme look like?
As ever, it varies with the organisation, but aspects which successful programmes have in common would be:
- A commitment from senior management to ensure that the compliance programme is achieved and properly resourced
- A team with sufficient skills and knowledge to be able to run a project
- A clear understanding of the data held in the and the data flows
- A practical risk assessment to make sure that the programme addresses the risk areas in a structured way
- A good grasp of where external processors are used and where there are joint controllerships
- Buy-in from developers and engineers as well as business units and the marketing department
- Adequate training for staff, and effective policies in place.
Are there enough data protection lawyers out there with practical experience?
The market for lawyers and other privacy professionals with several years of real solid experience is very tight at the moment. A lot of people do some DP as part of a legal job but there are not as many specialists as are needed. No doubt that will change over the next few years.
Does our idea of the Data Protection Officer (DPO) need to change in response to the implementation of the GDPR?
Yes, very much. First we need to distinguish between a statutory DPO and someone who takes the lead DP/privacy role but is not appointed under the statutory criteria. It will be important to make sure that it is clear whether a DPO appointment is a statutory one or not – if a statutory DPO is appointed the data controller has to make sure that the DPO is able to fulfil the necessary tasks and be involved in developments in good time.
Data processors will be covered by the GDPR – what should they be doing now to comply?
- This is a huge change as processors must know what data they are processing, ensure security is appropriate, must not make overseas transfers without proper grounds and are equally responsible with data controllers for ensuring that a proper contract is in part between the parties.
- Processors should be reviewing all their contracts with data controllers to check that the contracts meet the requirements and also to ensure that their client data controllers are committed to providing processors with the information that they’ll need to do their job.
- Processors also need to review any transfers of personal data outside the EEA and look at their use of sub-processors to check that those contracts are meeting the right standards.
What impact do you think Brexit might have on the GDPR?
- The Government has said it will legislate but we don’t know how – no draft legislation has been produced yet.
- Post-Brexit we will be a “third country” as far as EU Member States are concerned, so data flows will apply to us. Business has been absolutely clear to Government that it needs to ensure that data can continue to flow and that means some form of adequacy agreement as part of the Brexit deal. But how that can be achieved will be unknown until the negotiations are concluded.
Rosemary Jay gave evidence to the House of Lords’ EU Home Affairs Subcommittee: read her evidence here.
And what about European case law?
There are relevant CJEU decisions on data protection and there will be more. It seems likely that case law decided while we were in the Union will still bind us when we leave, and then we’ll have to decide what to do, going forward. If we want pan-EU data sharing then part of the price may be accepting CJEU decisions in order to maintain consistency. In any event, we continue to be subject to the ECtHR in Strasbourg. The ECtHR applies the same human rights principles as the CJEU does. If we resiled from the ECHR the ECtHR cases would become persuasive rather than binding – but they would still be very strongly persuasive.
Is it realistic that UK companies will be ready for the compliance deadline of 25 May 2018?
A lot of work is going on in the UK. The ICO has been issuing guidance and UK companies and the public sector are working hard to achieve compliance with the new rules. However, it’s not possible that everyone will get there on time and there will inevitably some areas where companies are not ready. That is one of the reasons it’s important in any compliance programme to look at the risk areas and focus on those which are more risky, such as where sensitive personal data are processed.
Do you have any advice for organisations on how to prepare and meet the 72 hour data breach reporting deadline?
- The first point to make is that the organisation needs to put in place an alert system to ensure that it knows that it has had a data breach. That is harder than it sounds as data breaches can take many forms. It’s also important to educate staff so they know to contact the right person immediately when they become aware of a breach. Good investigation will also be critical so that the first report can be as clear as possible.
- Putting in place a system to alert an organisation to security breaches is easier said than done. Often when a breach comes to light, it happened 3 or 4 years ago. I suspect lots of security breaches get buried in IT and never reach management.
Will the increased fines be a big enough disincentive to ensure that firms comply with the GDPR?
Yes, to the extent that fines do act as a deterrent; but often it’s also the bad publicity that deters companies.
There’s been a lot of talk about an individual’s right to data portability, but which areas will this right actually affect in reality?
This will take some time to become a reality but there are two or three main areas it is likely to affect. Social media platforms are one, financial services are another and utilities and similar consumer services seem to be the third.
Rosemary Jay’s Guide to the General Data Protection Regulation is available now from the Sweet & Maxwell online store.