As expected – or feared – implementing the incoming General Data Protection Regulation (GDPR) is a mammoth task for some companies. ‘It is all-encompassing,’ says Karen Kerrigan, chief legal officer at equity crowdfunding firm Seedrs. ‘The advantage of being a small business is that you can involve all the other departments. Frankly, I would be terrified of GDPR if I was at a large business, because you have to take a much more decisive risk-based approach in terms of what you are physically able to look at. We were able to sit down with our development team, our marketing team and our investments team, and go through every single one of their activities and the service providers they were using.’
To say GDPR will have wide implications for in-house teams is an understatement. It is unlikely that there will be any client or any part of a client’s business that will remain unaffected by the EU regulation, which has a deadline for implementation of 25 May 2018.
‘GDPR talks to what is expected of an organisation to show compliance,’ notes Vinod Bange, head of UK data protection and privacy at Taylor Wessing. ‘It talks about accountability and governance, and the ability to be able to demonstrate that you as an organisation have thought about the data you hold, you have a clear idea of that data and you have analysed the gap, because GDPR requires more than previous legislation.’
Best behaviour
Elements of the GDPR, such as the right to be forgotten and the substantial increase in fines, may grab the headlines (see box, ‘Mythbusting’, below), but the most significant feature of the legislation is the cultural change expected of companies to become compliant. The GDPR has a front-line obligation that organisations need to be able to demonstrate they comply with the legislation, for example by carrying out data protection impact assessments if their proposed activities are likely to result in a high risk to the rights and freedoms of individuals.
Also included in the legislation is the concept of ‘privacy by design and default’, which will be enshrined into statute. This means that data controllers – defined by the UK Data Protection Act 1998 as a person who determines the purposes for which, and the manner in which, any personal data is processed – are specifically prevented from setting defaults to disclose data to all.
‘In a sense it is not even a legal project,’ says Mark Taylor, a data protection partner at Osborne Clarke. ‘It is a project which requires changes and adjustment to your business and your processes, and while your legal team can help you understand what the law is and guide you on what you need to do, the changes you need to make as a client need to be driven from within. It is a cultural change and that is not something you can get your external counsel to deliver. It needs to be either led by the GC or even the board.’
Skyscanner’s chief legal officer Carolyn Jameson agrees. ‘The way we are approaching it is to do a comms plan on a campaign so that we embed the right attitude to the new organisation. We have made sure it is setting the tone at the top. We began with an email from the CEO talking about consumer data and the importance of protecting it.’
At business-to-business media company Ascential, group commercial counsel Alana Tart has put in place steering committees within different business functions, such as marketing, sales, HR and finance. The steering committees are responsible for the basic implementation work and, according to Tart, their most important function is to start embedding the behavioural change that the company needs to have.
‘Let’s take sales – people don’t consistently record their customers in appropriate ways, like ensuring that we don’t have duplications, or making notes in notebooks, not realising that under a subject access request, that is discoverable – small behavioural changes that are important for people to comply with the GDPR, which is data protection by process and design. We want to make sure that whenever someone sees a piece of personally-identifiable information [PII, information that can be used on its own or with other information to identify, contact or locate a single person, or to identify an individual in context], they have that little voice in their head saying: “Ah, PII – I need to make sure I am being more careful with it!”’
To embed behavioural change at Ascential, the company has put a communication plan in place, which involves online learning modules, face-to-face training and infographics. Ascential, which has already gone through an initial awareness and buy-in stage, as well as an entire company-wide audit to prepare for GDPR, also intends to put in place technology limitations, such as restricting the number of people who can download reports.
The issue of consent is also one that comes under behavioural or cultural change. Under GDPR, organisations that rely on consent to process personal data will need to show that consent is freely given, specific and informed, and is an ‘unambiguous indication’ of a data subject’s wishes, and expressed either by a statement or a clear affirmative action.
According to Taylor, one of the most common queries Osborne Clarke receives from clients about GDPR is around the principle of consent.
‘A common misconception is that you have to have consent from individuals to use their data. That is not necessarily true, but that is a question that crops up quite frequently because it is harder to achieve. People are getting worried about whether they have to get consent from all the individuals whose data they hold.’
Other common queries on GDPR include questions around external elements that will soon start to have an impact on their day-to-day operations, as well as whether a company needs to comply with the requirement for a data protection officer (DPO).
‘They will ask us to enhance their website privacy statement, which is a public statement of “here is what we do with people’s data”,’ says Antonis Patrikios, a partner at Fieldfisher. ‘We see a lot of interest on whether companies need to appoint a DPO and, if they need to appoint a DPO, where should they sit.’
‘Every external counsel has a different view on whether a small business that is doing digital marketing should be appointing a DPO or not. Once we have worked out internally the changes we will be making, we will ask external counsel the hard stuff,’ adds Kerrigan.
Clients also want reassurance that in the UK the Information Commissioner’s Office (ICO) will not start dishing out massive fines. Under the GDPR, the stakes of non-compliance are substantially raised with maximum penalties of 4% of annual global turnover or up to €20m – whichever is higher. This is compared to the current maximum fine of £500,000 in the UK for serious breaches of the DPA. Additionally in the last couple of years the total fines issued by the ICO have steadily increased from 18 fines with a total value of £2,031,250 in 2015, to 44 fines up to August this year totalling £3,107,500. Clients are wary that the GDPR may give the ICO more bite.
‘The fines make people stand up and pay attention. We have never had an issue with management or the board not being sensitive to data privacy, but the fines have made them think: “This is something we should treat very seriously”,’ adds Kerrigan.
However, in a blog UK Information Commissioner Elizabeth Denham recently published called ‘GDPR – sorting the fact from fiction’, she states that focusing on the potential of crippling financial punishment is missing the point. ‘It is scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. We have always preferred the carrot to the stick.’
For Tart, the fines are not the overriding concern. ‘If our customers can trust us to use their data properly, we can have better relationships with them. In terms of whether this is a higher risk level for fines – I am not worried about that risk. A data leak means we could end up in the papers and means customers stop trusting you with their data.’
‘Fines sharpen the mind obviously,’ adds Stephen McCartney, director of privacy in Europe at Pearson. ‘But the key area that is going to have the most impact is the requirement to not just be compliant, but to be able to demonstrate compliance with data protection law. This is going to require much more administration and resource on behalf of our clients and is an area that will be a competitive advantage.’
According to Jameson at Skyscanner, embedding a cultural change at an internet company is a bigger challenge than at heavily-regulated financial institutions. ‘People are a lot less receptive to those sorts of arguments in an environment like this. And that is why we have to come at GDPR from a consumer angle.’
The new Millennium bug?
Yet despite concerns over larger fines and loss of competitive advantage, there is a huge variation in how well businesses are prepared for the legislation.
‘We have been working with clients in some cases for over a year on GDPR compliance, but the picture is mixed,’ says Taylor. ‘There has also been a lot of fear and doom preached by certain sections of the legal profession and the consultancy profession about how the massive fines mean the end of the world is nigh. That is not helpful and frankly in some cases isn’t true, so some clients close their ears to it. As some clients have put it: “Is this another Y2K?”’
According to external counsel, larger financial services and technology clients are generally ahead when it comes to the implementation of GDPR, with some clients starting the process last summer or appointing advisers as early as the beginning of 2016. However, the number of projects for external advisers has shot up dramatically over the last three months, demonstrating that more clients are taking notice.
The first step for many clients is data mapping, which shows a company what data it holds, where the data is stored and how it is processed. Depending on the size of the company, external advisers may be involved at this point.
‘We started preparing earlier this year,’ says Kerrigan. ‘The biggest exercise we have been undertaking is our internal data mapping and speaking to all of the relevant teams to work out the action plan for implementation.’
The legal team usually leads on the implementation of the GDPR, but the legislation may also lead to a growth in privacy teams or the creation of new roles altogether.
‘We pretty much always deal with GCs, but for larger organisations we are seeing new roles – almost a GC for privacy, which is an interesting development,’ says Bange. ‘There are more individuals who haven’t got a privacy background in a legal team being asked to take this role in terms of driving GDPR forward,’ adds Taylor. ‘We will see an increase in the size of privacy teams from now and the clients that don’t have dedicated privacy teams are now looking to form them – undoubtedly.’
At Pearson, the data privacy office has led on the implementation of the GDPR, including revamping the existing governance structure for data privacy across the business, and developing a process that sets out the privacy team’s roles and responsibilities on incident response. Pearson is also building its data team internally.
With substantial variation in how clients are approaching GDPR, there is clearly no one-size-fits-all response. But as Patrikios concludes, businesses need to show that they have at the least given the GDPR some serious consideration.
‘What we tell our clients is: “This is not rocket science, but it is not a quick and dirty job you can leave to the last month.” The key message for businesses is that whatever they do they should have a think about GDPR and how it impacts the business, and then have a plan about doing something about it. The one thing regulators will look very unfavourably at come June 2018 is a business that says “haven’t thought about this, didn’t think it was important, haven’t done anything about it”. That definitely will not go down well.’
GDPR – at a glance
The EU’s new region-wide standard for policing data use and privacy comes into force in May 2018. The regime modernises and substantially toughens protection of data.
Key provisions include:
- Maximum penalties for breaches of 4% of annual global turnover or €20m, whichever is the higher – a major increase in potential fines.
- The need for certain business activities to require data protection impact assessments.
- Individuals entitled to find out details of information held about them.
- Some companies obliged to appoint data protection officers – debate continues as to which types will need such officers.
- Consent must be explicit for data to be collected and the purposes for which it is used.
- Expansion of rights of data subjects, including the controversial right to be forgotten.
- Organisations will be regulated by a single data watchdog in the place of their main establishment.
- Ushering in of ‘Design by Default’ framework meaning technology, processes and systems required to default to high privacy settings.
Mythbusting: the introduction of GDPR in perspective
The General Data Protection Regulation (GDPR), which aims to reform, modernise and harmonise European data protection law, was agreed at the end of 2015 and will replace the current 1995 Data Protection Directive and, in the UK, the Data Protection Act 1998 – the first example of a Europe-wide benchmark. The remaining disparity between EU member states along with the transformational impact of technology on all aspects of data has meant that the case for new legislation is long overdue.
‘Even before social media and artificial intelligence, the Data Protection Act and the 1995 directive were bursting at the seams,’ says Vinod Bange, head of UK data protection and privacy at Taylor Wessing. ‘Offshoring, which we now describe as “cloud” – these are not new things any more. If you go back to the 1995 directive, which was by and large negotiated and debated in 1992/93 – there was no social media, barely any email and offices didn’t have PCs. The commercial world is very different now.’
The GDPR is lengthy, running at over 200 pages, with headline provisions including greater territorial scope, significantly larger fines and the requirement for some businesses to have data protection officers. However, the legislation leaves much open to interpretation, which gives the governing body – in the UK’s case the Information Commissioner’s Office – much bigger potential bite. That ambiguity combined with media scare stories on elements such as ‘the right to erase’ or, as it is more commonly known, ‘the right to be forgotten’, have led to much alarm in the in-house community over the impact of the GDPR. So much so that the UK Commissioner Elizabeth Denham recently posted a blog called ‘GDPR – sorting the fact from fiction’. In it, Denham warns: ‘If this misinformation goes unchecked, we risk losing sight of what this new law is about – greater transparency, enhanced rights for citizens and increased accountability.’
She adds: ‘So, I want to set the record straight. I want to bust the myths, because I know that most organisations want to get the GDPR right when it comes into force.’