In May 2018 the ‘new’ General Data Protection Regulation (GDPR) came into force. This was the first major overhaul of the UK’s data protection law in over 20 years. The new law was based on the same basic principles as the old one but introduced some significant new requirements – eg data breach notification – and more severe penalties for non-compliance.
The organisations we have been working with over the last couple of years have been in very varied states of preparedness for the GDPR. They fell into three basic categories:
- Bad state of compliance with the old law and no plan in place for complying with the new law, inadequate resources or access to expertise to satisfy even current legal requirements
- Satisfactory state of compliance with the old law and with a basic plan to ‘tick off’ the GDPR’s new key requirements, full compliance being a work in progress
- Good state of compliance with the old law and a comprehensive, properly planned and resourced GDPR compliance programme ‘ready to go’ from Day 1
Most businesses we worked with fell into the middle category, with only a few either being totally unprepared for the coming changes or confident that they would be compliant from Day 1. Some organisations had been working on a GDPR compliance programme for several years. For others it was a last-minute panic – with too much to do in too little time – the problem often being compounded by a poor sense of risk and prioritisation.
The change to the law provided an opportunity for many organisations to re-assess their approach to data privacy, to find the necessary resources and put measures in place that they should have implemented years ago. We certainly saw data privacy going up the corporate agenda, partly as the result of compliance-panic, but also – in more enlightened organisations – through a realisation that ‘doing personal information properly’ is going up the public and regulatory agenda, is good for corporate reputation and trust and is ultimately good for business.
What were the main problem areas?
Record of Processing Activity (ROPA)
Under the GDPR, most organisations are required to document their personal information assets; what they are, who they are about, what systems they are stored on, how long the information will be retained for and so forth. Very few organisations had achieved this – only fairly new organisations that had put clear rules in place from the start about keeping personal information on the appropriate ‘official’ systems got anywhere near 100% ROPA completion.
Nearly all the organisations we worked with had problems with staff keeping personal information on unstructured, unofficial systems, with paper records being a particular problem area – particularly those in storage. Even organisations that had compiled a fairly complete ROPA often found it difficult to maintain and to secure ‘ownership’ of its content. The organisations that were most successful here were probably the ones that realised that maintaining a fit-for-purpose ROPA is a good investment, as it can facilitate other aspects of compliance, eg managing a retention schedule or dealing with a data breach or an information rights request.
Every organisation we have worked with uses third parties – whether ‘controllers’ or ‘processors’ – to provide services to it. We found that few organisations could say with certainty that they knew who all their third-party suppliers were or locate all the contracts they have in place with them.
Many organisations had put a great deal of effort into finding out who their suppliers were and issuing ‘addenda’ to them to try make the relevant contracts GDPR-compatible. Responses varied, with some suppliers – typically the more market-dominant ones – refusing to sign the addenda or just ignoring the request. This presented a difficult policy call for organisations; either change suppliers or go ahead and continue to use existing third parties but with non-compliant contracts in place. Most organisations appear to have chosen the latter course of action, believing their existing governance arrangements to be adequate and that they could show the regulator that they had at least tried to make their contracts GDPR-compatible.
This has been one of the biggest areas of legal uncertainty, and regulators here in the UK and elsewhere have suggested that marketing should only be carried out on the basis of opt-in consent. However, the GDPR is more equivocal and one of its recitals makes it clear that marketing can be in an organisation’s legitimate interests – ie meaning that consent is not necessarily required. Most organisations we have worked with have – sometimes after considerable internal disagreement – ‘bit the bullet’ and decided to go for opt-in consent for marketing. They have generally found that a lot of contact details were no longer valid and that of the people whose contact details were valid, most failed to opt-in to marketing, either not responding or actively opting-out. Some organisations we worked with lost around 75% of their leads but after the initial shock, generally seemed happy with the improved conversion rate of the residual 25% and are building-up their marketing database on an opt-in basis. Opt-in is probably the best way to future-proof against the imminent changes to the rules around electronic marketing.
Privacy notices and transparency
This is generally a high-risk area, as privacy notices can be open to scrutiny from (possibly disgruntled) members of the public or employees. Most organisations we worked with had privacy notices in place that contained all the elements required under the old data protection legislation. They were of varying degrees of quality, not surprising given the need for both legal precision and readability for the general reader.
Some organisations had failed to appreciate that GDPR-compatible notices have to contain several new and sometimes highly technical elements - eg information about the organisation’s legal basis for processing personal information or about the adequacy of data transfers. However, despite all the additional content needed, privacy notices also have to be concise and written in clear, plain language. The GDPR’s transparency rules were a particular challenge in contexts such as CCTV and mobile devices, where a fully GDPR-compatible privacy notice may be difficult or impossible to deliver. Some organisations have developed innovative solutions – eg placing QR stickers on existing CCTV signage. Many organisations went for a layered approach – ie a front-page summary privacy notice with a link through to more detailed information for those that want it. This seems to be a standard that regulators are happy with and that is relatively easy to deliver in practice.
There have been various forms of breach notification in place for several years – eg for telecoms providers and financial services firms. However, the GDPR’s breach notification requirement was new for many organisations we have worked with. The main problem has been for organisations to make sure their staff knew what a data breach is and how to respond if they become aware of one. This is crucial given the GDPR’s tight timelines for breach reporting. However, organisations also face a dilemma in terms of developing their policy on whether to tell the ICO – and in some cases the individuals affected – about a breach. Organisations could face a fine for a data breach or a similar fine for non-notification of a reportable breach. Most organisations we have dealt with seem to be veering towards over-notification, but making sure they have a ‘good story to tell’ in terms of any remedial action they have taken after the breach was detected.
The main right people apply continues to be subject access. We have found that organisations that were already receiving SARs continue to do so, but in slightly larger numbers given recent publicity around rights and the abolition of the old £10 fee. Some organisations that have never received SARs in the past have been receiving a few – often from former members of staff. These can prove very time-consuming and expensive to deal with. It has been interesting to help relatively inexperienced organisations to deal with these – and to explain that there is no ‘I wish I hadn’t written that’ exemption because the material is embarrassing or shouldn’t have been put on somebody’s file in the first place. The lesson is to always assume that when you record information about someone, the person you would least like to see it will get to see it. (In borderline cases the regulator will usually side with the individual rather than the organisation holding the information, so be prepared to hand over the information even if you really don’t want to.)
Organisations have also found some of the other new GDPR rights difficult to comply with. For example, the GDPR’s rules around automated decision making require an organisation to provide meaningful information about the logic used to make a significant decision about someone. In the context of AI and robotics becoming mainstream in financial services and elsewhere, it is by no means clear what standards organisations are meant to reach or how the complex data processing activities that underpin so much decision-making can be explained meaningfully to the ‘average’ individual. This is a good illustration of an area where data privacy is very much a work in progress, with little if any authoritative guidance or legal precedent to go on.
Appointment of a Data Protection Officer (DPO)
The GDPR requires some organisations to appoint an ‘official’ Data Protection Officer. However, the GDPR’s threshold for doing so is far from clear. For example, if an organisation’s core activities involve the large scale, regular and systematic monitoring of individuals then it has to appoint a DPO – but what are ‘core activities’ – how large is ‘large scale’? Some organisations have appointed a DPO when they probably didn’t need to do so – ie low risk organisations with very limited personal information assets (typically about their employees, customers and business contacts). However, we have advised the organisations we have worked with that they should be aiming at putting an effective privacy function in place, whether or not that involves the appointment of an ‘official DPO’. That would probably be sufficient from a regulatory point of view, given the uncertainty over the legal thresholds for appointing a DPO.
The GDPR is often seen as the international ‘gold standard’ for data privacy law, and several multinational organisations that we have worked with have sought to roll-out their GDPR programme internationally, ie in territories outside the EU/EEA where the GDPR is not in force. This approach works up to a degree, and we have tried to help organisation to develop an approach that works across their business, whilst recognising that there must be some areas of divergence, for example in territories where individuals’ information rights are not legally enforceable or where there is no recourse to an independent regulator. There are also conflict of laws issues to be negotiated, for example where there is a conflict between data privacy rights and the rights of freedom of expression or access to information. (This can be a problem when attempting to ‘export’ the GDPR to the US, for example.) The experience we have built up in dealing with international data privacy issues has also been useful in advising clients on the likely impact of the UK leaving the EU and of it becoming a ‘third country’ – possibly an ‘inadequate’ one - in GDPR terms.
Are we compliant or not?
Organisations have often sought assurance that they are fully compliant with the GDPR. This is understandable but is an assurance that cannot be provided. This is because it is often very unclear what compliance involves – see the comments above about the appointment of a DPO, for example, and because so far there is little guidance from regulators or legal precedent. We have tried to help those we have worked with to focus on the main risk areas for their business and to make sure they have the main compliance building-blocks in place, so that they can deliver individuals’ rights or respond appropriately to a data breach, for example. At this time, that is probably the most the regulator will expect, recognising that data privacy compliance is very much a work in progress.
Where do we go from here?
The general state of affairs is that most organisations we have worked with have negotiated GDPR implementation fairly successfully and are moving data privacy into their business-as-usual processes. Our data privacy function has moved in a similar direction, focusing less on just GDPR controls and more on data governance and the adoption of good practice in the handling of personal information. We have tried to promote effective data privacy as part of good corporate citizenship, and of creating an ethical and sustainable relationship with the people whose personal information an organisation relies on to conduct its business. This is an approach we will be developing further as the panic over GDPR dies down, but as personal information remains high on the public and corporate agenda.