With GDPR officially coming into force this Friday, some UK retailers handling consumer data are labouring under several critical misunderstandings of the new regulatory landscape they must comply with, reveal Quentin Hunt and Dean Armstrong QC, barristers.
The two barristers have joined their forces to debunk five common misconceptions and offer their expertise to allow organisations to test their readiness and be au fait with GDPR.
This philosophy is echoed in the new research by Capgemini, which identified that 45% of UK companies are not yet fully compliant with the upcoming regulation, with 18% of that cohort reporting that GDPR does not constitute a priority for them.
Overall, 85% of US and UK organisations will fail to be fully prepared for compliance by the looming deadline.
According to Quentin Hunt and Dean Armstrong, one of the most significant legal complications with understanding GDPR is that this is not a rule-based piece of regulation.
“When you’re dealing with something like the EU’s Markets in Financial Instruments Directive (MiFID), or driving at 35 miles per hour (mph) in a 30mph zone, the parameters of the law are clear-cut, and there is little need for interpretation,” explains Hunt.
“GDPR, on the other hand, is a principle-based regulation. Compliance is assessed in accordance with designated principles, such as whether ‘effective’ consent has been obtained by the data owner and whether that data is considered to be ‘current’. Should an investigation arise, such judgements would be at the discretion of the Information Commissioner’s Office (ICO) and would
involve a legally-based assessment. So, it’s easy to see how organisations who might consider they’re on top of GDPR may, in reality, be at risk of being found to be non-compliant.”
While fines and losses are often accepted as a necessary business adjustment, GDPR fines are at a level never seen before in data protection. The extent of these financial penalties have the potential to destroy a business, Hunt and Armstrong warn.
Certain infringements have the potential to incur fines of up to €20 million (£17.55 million) or 4% of worldwide annual turnover – whichever is higher.
The nature, gravity and length of the infringement, number of people affected, and any mitigating action, will all affect the level of fine. Plus, there’s the reputational damage to consider. If severe, a breach could impact massively on share price, leading to the possibility of class actions and
loss of consumer confidence.
If your business depends on trading with EU citizens, then organisations will still need to adopt data protection regulation that is as rigorous as GDPR, or more so.
Hunt and Armstrong point out that anyone wanting to access the EU market has three paths open to them:
a. One option follows the Norwegian route and involves joining the European Economic Area, which
requires that non-EU countries implement rules and procedures that are equivalent to those in the EU.
b. In the case of bilateral trade deals with the EU, these typically result in the non-EU country having to agree to apply laws that are at least as demanding at EU legislation. This is the route Switzerland has taken. In both these instances, non-EU countries would have to adopt data protection regulations that are as strict as GDPR.
c. It is possible for a non-EU country to maintain independent trade deals without taking on the burden of equivalent obligations, but in this instance, GDPR will still require ‘adequate’ protection to be put in place in order to allow EU members to pass information to the non-EU country.
The core message is vital: if your organisation is offering goods or services to EU citizens, or monitoring their behaviour, then GDPR will still apply to you, regardless of your own organisation’s location.
Hunt and Armstrong are keen to emphasise that GDPR is something that every business leader must fully understand and be on top of.
“At the regulation’s core is the sanctity of personal data,” says Hunt. “This is centred on the notion that personal data belongs to the individual and that businesses are mere custodians. It represents
a fundamental change in the way that every organisation uses, manages and protects data – and ignorance or buck-passing will be no defence at all. It is absolutely an executive responsibility to ensure that your team understands what GDPR means for their job.”
In Hunt and Armstrong’s experience, many organisations are still wrongly assuming that GDPR is all about the data hack and that beefing up cybersecurity measures provides all the answers.
However, compliance by design and default is the GDPR mantra - therefore by definition technology can only solve part of the problem.
In the case of, for example, a breach caused by someone leaving confidential papers in a taxi, there’s nothing technology can do to prevent that.
What’s more, the two Barristers note, GDPR also forbids reliance on automated decision making.
This means, for example, that mortgage companies can no longer approve or reject an application based on an automated credit score.
Technology has a role to play in GDPR, but there is also a crucial role for human judgement and the ability to reverse a decision.
Technology should only ever act as the supporting role of bespoke expert advice in this area.
Especially with the enforcement deadline looming, Hunt and Armstrong’s initial advice is to consider the following questions to establish your organisations’ readiness for the regulations.
a. Can any of this data be anonymised?
b. Where is the data going?
2. Review your processes for data breach notification, security and risk assessment.
3. Check your contracts – do you need to conduct a data protection impact assessment?
4. If you are a data controller, review your relationships with data processors.
5. Train your workforce. As mentioned, it is not enough to rely on your compliance or technical teams.
a. Do you need to hire a data protection officer?
b. Do you have adequate processes in place should employees have to handle a severe data breach?
c. Are your contracts – with staff and subcontractors – GDPR compliant?
d. Have you given your employees the correct information?
“There is still time to make an initial and informed assessment of your readiness for GDPR,” says Hunt.
“But, with so many misconceptions remaining rife, and with so much at stake if you fail to comply, it’ vital that you honestly assess these areas immediately and seek advice in any areas that are unclear.