With reports of one in four businesses still unprepared for the EU General Data Protection Regulation [Source DMA GDPR and You Chapter 2] and almost a year to go until it becomes enforceable law, businesses that don’t currently have a plan in place for compliance need to catch up fast.
In this interview, we catch up with Sarah Day, a consultant at DQM-GRC (a leading data governance, risk and compliance business) about what organisations need to do to kick-start their GDPR project.
Dylan Jones: Before we get into your GDPR advice, can you tell me a little bit about your background and how you got into your current area of work?
Sarah Day: I worked for over 20 years for a learned society publisher, originally training as a scientific journal editor and later, moving into marketing. I gravitated towards digital marketing and was fascinated by the speed at which marketing technology evolves. It became quickly clear to me that sound customer data strategy and management underpins great marketing. I found myself naturally championing issues such as data quality and single customer view, and ultimately this led to me heading up a new CRM and data-driven marketing insights team for that organisation in 2013.
Early in 2016, with a growing awareness of the new EU General Data Protection Regulation (GDPR) that had finally reached a conclusion and agreed date for enforcement, I went along to DataIQs excellent series of briefing sessions.
The aim was to take notes and feed back to my organisation what we were going to need to do to comply with GDPR. I couldn’t get over how many people were at those briefing sessions voicing concerns and worries about the implications of this new legislation.
Many were from “my world” (the not-for-profit sector) – most likely because our Supervisory Authority (the ICO) had recently turned its attention on some of the fundraising activities carried out by charities. You could sense the strong desire in the room to comply with this new data protection law, tinged with a growing sense of panic that it was going to be a game-changer for many businesses.
I sat there thinking, “Wow, there are going to be a lot of organisations needing support through this journey”.
And then I thought, “I know what it’s like to try and sell an initiative like this to senior management to get the resources: it isn’t easy and you need to find the positives. I also know what data is really like in organisations: it often isn’t pretty and this is going to feel like a herculean task.”
And finally, I thought, “I think I might have something to offer here and could help”.
At the same time, my company was going through a restructure and offering voluntary redundancies. It was my first time going through that unpleasant process and I was determined to turn it into something positive and proactive: if there was ever a time to try something new this was it!
DQM-GRC had a growing GDPR programme and were looking to expand their audit team so I leapt at the chance to work with such an experienced and well-respected team.
Dylan Jones: What are the key changes that GDPR brings to legislation?
Sarah Day: The GDPR is Europe’s attempt to harmonise data protection regulations across its 28 member states and make the protection of a citizen’s personally identifiable information a basic human right.
It builds upon existing legislation; it’s certainly not all new but it’s considerably more stringent (on some topics) than existing data protection law including the UK’s Data Protection Act 1998 (DPA), the related Privacy and Electronic Communications Regulations (PECR) and the EU’s Privacy and Electronic Communications Directive (otherwise known as the E-Privacy Directive).
One of the key changes is that GDPR applies not only to the processing of personal information carried out by organisations operating within the EU but also to organisations outside the EU that offer goods or services to individuals in the EU.
In terms of key differences from current legislation, these include:
- the expanded territorial scope that I mentioned already (meaning GDPR also applies to non-EU companies that process personal data of individuals in the EU);
- a wider definition of personal data (which now, for instance, includes genetic, biometric data, mental health, cultural and social identity data);
- stronger requirements for obtaining and evidencing a person’s consent for processing their personal data (and parental consent is required for processing personal data of children under 16 – although member states can set different age limits);
- individuals (referred to as “data subjects”, have stronger rights, including the right to be forgotten and erased from all records;
- individuals may request a copy of their personal data (a process referred to as data subject access request, DSAR) and whilst this isn’t new, per se, there are some new caveats (e.g., businesses cannot charge for this service, information must be supplied within 30 days of receiving a request, data subjects can request to receive their information in a portable format (i.e., in a format that allows them to easily transfer their information to another business/service provider);
- appointment of a data protection officer (DPO) will be mandatory for certain types of organisation (e.g., public bodies or businesses whose core activities consist of processing “special categories of personal data” (i.e. “sensitive personal data” categories under the UK DPA with the addition of genetic and biometric data);
- organisations must report certain types of data breach to the relevant supervisory authority (and in some cases to the individuals affected), within 72h after becoming aware of it;
- Data Protection Impact Assessments (DPIAs) will be required for certain “high risk” activities and products, services and solutions must be built with privacy and security in mind rather than as an afterthought (referred to as “Data Protection by Design and Default” under GDPR, but it essentially follows similar principles to what we more commonly refer to as “Privacy by Design”);
- Data controllers must ensure adequate contracts are in place to govern any 3rd parties that process data on their behalf. And those data processors can be held directly liable for the security of personal data they process on behalf of the controller;
- there are stronger expectations for organisations to demonstrate accountability for the security and privacy of the personal data they process, this includes keeping more extensive records of processing activity, policy and procedural documentation and employee training;
- and of course, the talking point for many around GDPR has been the significantly higher fines for non-compliance.
Currently, the maximum monetary penalty that the ICO has the power to impose on a data controller is £500,000 but under GDPR, businesses that breach the new law can be fined up to €2M or 4% of global turnover, whichever is the higher.
The International Association of Privacy Professionals (IAPP) has published a really helpful blog post on Consequences for GDPR violations, that explains the two-tier fines and how the complaint process will work under GDPR.
We’re already starting to see larger fines being reported: in March the Italian Data Protection Authority (Garante per la protezione dei dati personali, “Garante”) imposed the largest fine ever imposed by a European Data Protection Authority, issuing fines totalling more than €11 million on five companies operating in the money transfers sector for unlawful processing of personal data.
I think it’s also interesting that, unlike the ICO, some Supervisory Authorities in other EU Member States are funded by the fines levied: it will be interesting to see if and how this impacts the monetary penalties we see being proposed in different States.
Dylan Jones: Why do you think so many businesses have yet to initiate a GDPR compliance programme?
Sarah Day: Latest figures reported in studies like the DMA’s GDPR and You and DataIQs GDPR Impact Briefing Series show that 2017 has seen a respectable increase in the number companies reporting that they have initiated plans for compliance, which is reassuring.
However, it’s not always clear whether these figures represent the (very) long tail of smaller UK businesses; anecdotally, it does seem as though it’s those smaller enterprises that are less geared-up to comply.
I think the laggards could be holding off for several reasons depending on the nature and the culture of the business concerned.
First and foremost, I think awareness about GDPR is not the same as preparedness for GDPR.
Awareness is definitely improving: ICO has ramped up its guidance and best practice; professional bodies like DMA and IAPP have really stepped up to the mark in terms of raising awareness amongst their communities; vendors have cottoned on to the huge potential footfall in GDPR-related web traffic and are creating content and news items accordingly (some of which is more useful and better informed than others); and newer initiatives like the GDPR Awareness Coalition are starting to emerge and produce some super, accessible GDPR awareness information.
I think there is a tendency to think that because awareness is growing in an organisation, that you’ve “got this one in the bag”. But unless you have an active project (with senior sponsorship) supported by a robust plan that has clear requirements, objectives, scope, deliverables and due dates, a detailed schedule, risk assessment/management, defined roles and responsibilities, adequate resourcing and budget, QA and comms plan – the chance of your business being compliant by next May are slim.
As ever, misinformation has had a big role to play.
Judging by the proliferation of articles that explore some of these common misinterpretations of GDPR (to set the records straight) there are some myths that just won’t bust like:
- GDPR won’t apply to UK companies post-Brexit (it will)
- GDPR doesn’t apply to B2B marketing (it does)
- If you outsource your processing to a third party it’s their problem (no, as controller it’s your joint problem).
In general, there has been a drip feed of important detail around how to comply with GDPR and I think this has contributed somewhat to a “wait and see” attitude in some businesses that (understandably) don’t want to launch into programmes and solutions until they are clearer about what the end goal looks like.
The Article 29 Working Party (Art. 29 WP), an official group made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission was set up to (amongst other things) provide expert advice to the States regarding data protection. The Group’s been tasked with giving additional guidance and to businesses to help interpret some of the areas where the legal text could be considered ambiguous or open to interpretation.
Some businesses argue that compliance is all about risk appetite, tolerance, and threshold and that GDPR poses risks that are within an “acceptable range” to them. Sometimes, I wonder to what extent complacency has been provoked by overuse of scare mongering tactics around the quoted levels of fines (which we need to remember are not flat fines but maximum’s for the most serious of breaches of law) together with the (in general) modest fines issued to date by the ICO.
That said, I think Elizabeth Denham, our Information Commissioner, has been very clear about her intentions to take action and issue increasingly severe fines for non-compliance with existing and new data protection law and there’s evidence that she is significantly scaling up her team in readiness for some busy periods ahead.
Finally, I think GDPR initiatives share some very similar general challenges to those faced by data governance initiatives (that readers here might find very familiar) in that there is often a lack of ownership or unclear ownership in the business about who will lead (and fund) the programme (is it IT? is it Legal? is it Marketing?).
Also, once organisations realise the scale of what they face it can lead to paralysis: GDPR compliance projects can quickly become overwhelming and some businesses just don’t know where to start or how to make it manageable – denial starts here. As does passing the buck (it’s another team’s responsibility, right?).
Dylan Jones: I know a lot of our members are starting to wake up to the realisation that this is not something they can defer any longer – where should they start?
Sarah Day: I shudder when I hear junior employees say that they’re still trying to get their senior teams to act. That was OK 12-18 months ago but now it’s a red flag, flapping in the wind.
I think it’s too late for bottom-up approaches: GDPR projects need to be established as a priority initiative, with active senior sponsorship to be fast-tracked through project management frameworks.
Also, this needs to be a cross-functional, strategic project and resourced accordingly.
The GDPR awareness coalition I mentioned earlier produced a nice infographic recently showing the 6 Departments who have a role to play on the GDPR compliance Journey. (Of course, there are many others one could argue adding: Sales, Customer Services, Compliance, Data Governance…)
Organisations that do not free up adequate resources simply won’t be compliant by 25 May 2018.
Also, they’re now in laggard territory which means the risk and cost is even greater for them than it was a year ago: the project timeline is squeezed and if they don’t have the skills and need to bring in external help, the demand for expertise is great.
For example, if your organisation is one that must appoint a DPO, with average recruitment (time-to-fill) at an all-time high plus there being DPO shortfall you could find that this in itself if your first significant risk to mitigate.
Dylan Jones: You’re on the ground helping companies deliver against GDPR. What are some of the key steps towards compliance? What does a typical GDPR compliance project entail?
Sarah Day: Because GDPR builds upon existing data protection legislation, checking your level of compliance with the Data Protection Act and the Privacy and Electronic Communications Regulations is essential but often overlooked. Consider this the starts of your “situation audit”, if you like.
You could get specialists in to help you do this or alternatively (if you want to save your consultancy budget for later parts of your compliance project) then the ICO has a simple, free data protection self-assessment tool, that small organisations can use to do a quick assessment of how well they comply with UK data protection law. It’s very easy to follow and will take 30 mins or less to complete. This will highlight any critical areas that you need to address most urgently.
Step 1 for most organisations looking to comply with GDPR is a full information audit to document what personal data the business holds, where it came from and who “has eyes” on it (including any third parties that it is shared with). The more mature your data governance programme, the easier this step is going to be.
For organisations that have not spent time mapping out the systems and documenting the processes they use to store, manage and transfer personal information, this is the first hurdle and it’s going to take considerable time and effort up front.
The results of the information audit are often captured in an information asset register (or similar). It’s helpful (but not mandatory) to support this with visuals showing the flow of information (e.g., data flow diagrams).
I really like the approach described in this article, Demystifying Your Organisational Data Flow: A How-To.
The general idea is to start with your data collection points and identify all data sources (e.g., how the data are obtained using hard-copy forms, telephone, mobile, email, online, web application, mobile application, desktop application etc.) Then identify all the places in which data are stored (physically and digitally), where the data are processed and where they are transferred to (e.g., manual processing, digital processing, other departments, agencies, clients, vendors, regulators and authorities). And finally, capture the data retention and deletion practices.
The audit and data flow maps help you determine what are the most pressing areas of concern in terms of risks to the security and privacy of the personal information your business processes directly or indirectly via a third party. From these maps, you develop your roadmap to close any gaps.
Typically the roadmap might include (but isn’t limited to):
- Breach notification plan. You should make sure you have the right procedures
in place to detect, report and investigate a personal data breach. You’ll need a documented plan and you’ll need to practice: what would happen if an employee had his/her laptop stolen or lost it, what would happen if an email containing personal data was sent unencrypted to the wrong external recipient, what about a breach caused by a 3rd Party? Or incorrect disposal of equipment so there is still personal data accessible. Consider what breach scenarios are most likely for your business and test to see how efficiently and effectively the company can respond.
- Procedures and plans for data subject rights. You’ll need to ensure you have plans and procedures in place to handle requests from individuals to correct, erase or restrict processing (e.g., automated profiling) of their personal information. You’ll need to review and update your procedures for subject access requests and plan how you will handle requests within the new timescales, in a portable format and provide any additional information.
- Reviewing third party contracts. The GDPR places obligations on controllers and processors alike and there is a requirement to ensure that your 3rd parties (if they’re processing data on your behalf or you have joint controller relationship in place) are doing so in a way that is technically and organisationally in keeping with your own. You’ll need to review supplier contracts and it’s worth sending out a questionnaire with some simple questions to understand how your 3rd parties are setting themselves up to cope with the GDPR. This will determine any high-risk suppliers for further review. You’d be wise to audit those that are slow in responding or are unable to demonstrate that they are proactively seeking to comply with GDPR.
- Reviewing marketing consent. The area of consent is a particularly challenging one. Although you don’t always need consent (there are several other lawful bases for processing personal data), if your organisation is going to use consent as a basis for processing personal data then there are some very specific requirements like consent must be unbundled (e.g., not a precondition of signing up to a service); active (i.e., no pre-ticked boxes); granular (e.g., separate opt in for telephone, mail, email, SMS, 3rd parties); named (your organisation and any third parties who will be relying on consent); documented (records to evidence when and how an individual opted in and the collection notice they were shown); easy to withdraw (simple, effective opt outs); and there mustn’t be an imbalance in the relationship between controller and data subject (this one makes it particularly tricky for e.g., public bodies to rely on consent).
- Rolling out training and awareness. This can take considerable time and effort to do well but is a critical component of showing that your business is taking adequate organisational measures to protect personal data and keep it secure. It’s worth considering the distinct types of role based training that may be required to ensure compliance and this might not be best delivered using a one size fits all: the IT team may need more support on privacy by design and conducting data protection impact assessments; the digital team on Adtech and the privacy implications; customer service reps may need Payment Card Industry Data Security Standard training (PCI DSS); and a whole team may need crisis management support.
- Data Protection Impact Assessments (DPIAs). DPIA is a process which helps organisations identify and reduce the privacy risks of a project or multiple related projects. It’s not hugely dissimilar from doing a structured risk assessment but it’s focused on privacy risks. Under GDPR “DPIA is mandatory where processing is likely to result in a high risk to the rights and freedoms of individuals”. [Recent guidance has been provided by the Article 29 Working Party; here’s a nice precis WP29 proposes DPIA guidelines, shedding light on “high risk” processing). Known also as Privacy impact assessments (PIA), DPIA/PIA has been in existence for a while and is embedded into project management frameworks in many larger enterprises. Smaller organisations however, may be less practised in performing impact assessments and so need processes agreed and training in place to get up to speed quickly.
There’s no one-size fits all for a compliance programme so it’s hard to define a standard timeline or “plan”.
Tim Clements, an experienced GDPR project manager and one of the thought-leaders in this area has a really nice example of a Visual GDPR Game Plan that’s well worth checking out though. It does a far better job that I could do off giving a snapshot of a GDPR compliance project in a single page.
I’d also highly recommend reading ICO’s 12 Steps to Take Now, one of the very early pieces of guidance published on the GDPR and still a helpful primer to give an overview of activities your business should be doing.
Dylan Jones: When assessing compliance, what areas do you find businesses commonly struggle with?
Sarah Day: The DQM-GRC Audit team conducts GDPR compliance assessments for clients from all sectors and whilst each organisation has its own unique strengths and weaknesses, we tend to see some of the same sorts of compliance issues come up time and time again during our evaluations.
The first area of weakness tends to be around documentation.
The next area we see clients tend to overlook is data retention policies and processes. This is covered in Article 5 of the GDPR – under storage limitation. The ICO is becoming increasingly bothered by companies holding onto data longer than is necessary for the purposes of the processing. Storing information for longer than you need it adds cost and risk to your business and makes it harder to comply with data protection – especially around data subject rights like subject access requests or requests for erasure (the “right to be forgotten”). Despite it being a requirement under the current DPA, many companies haven’t updated their Data Retention Policy in some time or they collect data that isn’t covered by the policy. Organisations with an ageing technology stack are sometimes unable to delete records from databases and legacy CRMs – it just wasn’t a requirement when the system was first acquired. And even though many organisations do have legal (or even business) justification for keeping records for a longer period, we often find that they haven’t documented that rationale anywhere.
To take proper information security measures has always been a part of privacy legislation but it’s another related area where we see a need for more attention. Although there’s been much focus on cyber security measures, information security includes physical security and that is often neglected in terms of policy, documentation and training. Some businesses are not aware that employee data is covered under the GDPR – it’s not just customer and prospect data. Information security processes and practices must extend to the personally identifiable information (PII) you collect and process relating to employees, some of which is very likely to fall into the special categories of PII and require appropriate additional security measures. The GDPR champions pseudonymisation and encryption of personal data and we find many organisations could do more to implement Data Protection by Design and Default measures like these, in their information security strategy.
Training and awareness is an area many organisations either overlook or only partially tackle. With so many breaches being the result of something an employee has done – inadvertently or otherwise – part of your company’s data security and protection plan must be to make sure all your staff know the risks they face and their responsibilities. Quite often companies mix up data security with data protection or neglect one if favour of the other, e.g., at employee induction data security sessions are given but this is not always true of data protection. Information security and data protection training should be a core part of induction training with mandatory refresher training and having some internal pr campaigns running alongside training is helpful to embed key messages. On the ICO website there are some great free resources you can use for a privacy awareness campaign. I really like the cards you can leave by the desk of someone who leaves their screen unlocked when they leave their desk and the post-its you can stick on unlocked filing cabinets. It all helps get the message across.
Dylan Jones: Finally, as well as all the work around complying to GDPR within the enterprise, is there not a ‘slow drain’ on the business case for many things around a Customer-360 View of the client? The hoped-for insights (hype?) using new technologies around Big data, Analytics, Social Media etc. are now facing considerable regulatory restrictions.
Is the value still there?
Sarah Day: There are two ways of looking at GDPR. Some only see the regulatory hoops to jump through, leading them to treat GDPR as a tick-box extravaganza. I think they’re missing an opportunity. The glass half full interpretation is that this new legislation is customer-driven and a positive move towards allowing us all, as individuals, to take back control of our personal data. I think Matt Anslow captures that sentiment nicely in his post, The General Data Protection Regulation (GDPR) – let’s look at it differently.
Evidence shows that, whilst consumers regularly share their personal information to receive some content or a service, they often do so reluctantly (researchers call it the “Privacy Paradox”).
But if as individuals we aren’t aware how the personal information we have shared with a business is being used, aggregated, enriched, interpreted, further-shared with third parties, and so on, then we are denied our basic right to object to that processing.
ICO has been quick to point out that GDPR does not outlaw big data practices such as predictive analytics, profiling, or personalisation – it just requires that businesses are more transparent about what they do with the data they collect and more accountable for keeping it secure and using it responsibly. And organisations that successfully embed privacy and protection into their business models will gain the trust of their audiences, and from that, their loyalty, their custom and competitive advantage in the marketplace.
And if I may be so bold (whilst it’s frustrating that it’s probably the scare tactics that have had the biggest effect), GDPR has played a major part in accelerating the awareness and adoption of good data management practices in businesses globally. For that alone, I think it’s a pretty positive change.
Dylan Jones: Where can people go to learn more about the work you’re doing in the field of GDPR?
Sarah Day: To find out more about the GDPR compliance assessments I carry out for DQM-GRC’s audit team visit http://www.dqmgrc.com/gdpr or use the form on the website to ask for more information.
Via my LinkedIn profile, I share useful (and free) GDPR resources, blog posts that I’ve found helpful and write the occasional article myself.
Disclaimer: The content of this interview does not constitute legal advice and should not be relied upon as such. Please check with your legal counsel when in any doubt about understanding your rights and obligations in order to comply with the law and regulations.
Biography – Sarah Day
Sarah is a consultant for DQM-GRC, a leading supplier of data governance, risk & compliance services in the UK.
DQM helps organisations to comply with new and existing legislation like the General Data Protection Regulation, the Data Protection Act, the Privacy and Electronic Communications Regulation, the E-Privacy Directive and security standards, like ISO27001.
DQM has developed a compliance assessment tool called GDPR RADAR™, which Sarah and other Consultants in DQM’s Audit team use to score a company’s fitness against GDPR, help clients identify where they need to improve and help set priorities for a bespoke programme to get an organisation GDPR-ready.
With over twenty years’ experience in both the commercial and not for profit sectors, and as a data-driven marketer, she is mindful of the delicate balance between the commercial interests of the business and the privacy rights of the customer.
She regularly writes and presents on topics related to customer data management and best practice.