Elizabeth Denham, the UK's Information Commissioner, has accused the media of scaremongering by focusing too much on the fines that may be imposed once the General Data Protection Regulation (GDPR) comes into effect on May 25th.
While the numbers are certainly eye-catching (up to €20 million or 4% of global annual turnover under GDPR), Denham argues that this obsession is distracting and simply not true: "This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that."
- The ICO will not impose maximum fines early on, for minor breaches or just to set an example of firms
- Imposing fines is always a last resort - the evidence backs this up (out of 17,300 cases in 2016/7, fines were imposed on just 16 organisations)
But, let's not forget… the ICO has a variety of other weapons at its disposal - warnings, reprimands and corrective orders, with the potential to inflict significant damage on a company's reputation. It's not just the money! Are you ready?
Follow these tips to safeguard your reputation and prepare for GDPR:
- Set the tone from the top - Demonstrate your commitment to data protection at the highest level with statements made by the CEO and Board. This sends a clear message to everyone that it should be taken seriously and matters.
- Start documenting - Start documenting what personal information you collect, use, store and share with other people; map those areas which will have the greatest impact on your operations and hence require most work. This is a good starting point for the Data Protection Impact Assessment.
- Review and document legal basis - What legal basis do you rely on currently for collecting and using personal information? Is your processing fair? Remember, where you rely on consent, then individuals will have much stronger rights.
- Check individual rights - Check that your current procedures address all individuals' personal rights - especially the new rights of erasure ("to be forgotten") and portability; make sure that you have a legitimate right to store personal data - remember, it's down to you to demonstrate that your legitimate interests override the interests of data subjects; consider how you should deal with anyone who objects to any legitimate rights to store personal data.
- Review procedures on subject access requests - After 25th May, you'll only have one month to respond to all SARs. Are changes needed to speed up your response; what arrangements are in place for handling more complex requests (for example, to improve your communication with anyone making such requests)?
- Review and update consent - How do you currently obtain consent? Are you able to prove in all cases currently that you have consent to process personal data? If not, how should you plan to document the consent you have?
- Be proactive and aim for data protection by design - Going forward, how might you integrate data protection in all your processes from the start to minimise the risks of breaches and ensure all of your processing is fair and legal? Have you carried out and documented Data Protection Impact Assessments (DPIAs) or Privacy Impact Assessments (PIAs) to strengthen protections for individuals? Look at all the 'touchpoints' where you request, use, store and transfer personal data; what processing do you carry out; what legal basis applies, and so on?
- Appoint a dedicated Data Protection Officer - If you haven't done so already and make them responsible for data protection compliance right across the organisation. Consider how they will operate within your existing organisational structure, the responsibilities they should have (i.e. liaising with regulatory bodies, board-level reporting, providing training, etc), and governance issues.
- International transfer issues - Where your operations are global or cross-border in nature, you'll need to determine which data protection supervisory authority you come under; whether there are binding corporate rules covering intra-group international data transfer (or whether there should be); and if there is adequate training to educate employees on what transfers are and aren't acceptable? What support or advice is available to help them make the right decision? How is consent obtained for international transfers and are individuals made fully aware of the risks at the time of consent?