You just can’t escape privacy at the moment. From Snowden and the NSA, to Facebook and Max Schrems single-handedly bring down safe-harbour; from high-profile celebrity super injunctions through to front-page reports of high-profile data breaches. Rapid advancements in new technology connects us in a way that we’ve never been connected before – we live in an always-on, on-demand, 24/7 global society – whatever you want, whenever you want it, wherever you are. Rob from Fieldfisher tells us why it’s not time to panic!
We generate more data than ever before and we entrust more data than ever before to social networks, apps and connected devices – this is the age of big data, and with big data comes great responsibility and that’s what the GDPR is all about – building trust in an era of mistrust – ensuring that those organisations to whom we entrust our data are accountable and transparent, and if not, that we as individuals and regulators have the right to take action against them (including the right to vote with our feet and either take our data somewhere else [the ‘portability right’] or to have it erased [the ‘right to be forgotten’].
As with all new laws, there are misconceptions about the GDPR, urban myths and scaremongering from lawyers about colossal fines (I’ll come into this later)! If you’re feeling confused or overwhelmed by it, I’m not surprised. My advice is don’t panic – keep it simple, take in bite-size chunks and you’ll be ok – here’s why:
The GDPR becomes law on 25 May 2018 – you’ve got two years to:
- Read it (be warned, it does take a while – so read it in bite-size chunks, by topic and not cover-to-cover)!
- Map your data flows and look at your current state of compliance (this may also take a while!)
- Work out the gaps between where you are and where you need to be – you need to know where you are to work out where you need to get to (and most importantly, how you’re going to get there – this is a project, not a part-time, one-man job)
- Prioritise the biggest risks for your organisation – if you try and deal with every change in parallel, you’ll fail (or drive yourself mad); also, your organisation is unique – what is right for somebody else, won’t necessarily be right for you, so make your own informed decisions on what you need to prioritise based on what you do, the types of data you collect and what you do with it
- Get your board on-board – your project will need board-level sponsorship, not just for GDPR-readiness, but ongoing GDPR compliance – you need the board on-board and you need a project team
If you feel like you still need some gentle persuasion as to why you should start thinking about GDPR now, here you go:
- The GDPR doesn’t just cover names, addresses and marketing databases – information about people which you take from cookie strings, IP addresses and device IDs – it’s all personal data (yes, even if you change the person’s name and replace it with some other ID; yes, even internet browsing behaviour and location data…..)
- You’re not in the EU? Doesn’t matter – wherever you are in the world, if you offer your services to EU citizens, you have to comply
- You’re a service provider? For the first time, you’ve got direct obligations and liabilities to regulators and individuals if you don’t comply with data protection laws
- You know I said transparency is key? Currently, most organisations don’t have to tell the regulator if there’s a security breach which comprises customer/employee data – now you do. You might also have to tell the individuals whose data has been compromised
- No GDPR post from a lawyer would be complete without mentioning fines (in fairness, I have left it until last). Yes, the fines are potentially enormous and dwarf the current fines capped at £500k in the UK. EU regulators have the power to issue fines of up to 4% of annual global turnover (not just the turnover of the company in breach, but its parent companies as well)…..plus regulatory audits, rights to ban processing of data, class-actions, rights to compensation – it’s a radically different risk-profile
But it’s not just about the fines – organisations must provide individuals (and regulators) with more information upfront than ever before – about the types of information they collect about people, what they use it for, who they share it with, how long they keep it for, where it goes in the world; you can’t do this without going back to basics and mapping data-flows end-to-end (and being really critical and honest about what the GDPR means by personal data).
The other thing you should know (and which you’ll hate me for), is that the GDPR isn’t the end of the story, it’s really just the start – detailed guidance will follow (lots of it), so keep an eye out for this – first off the line will be guidance on data protection officers (the good news is, not everybody has to have one!); ‘high-risk’ processing; and the new right to ‘data portability’ (and you thought subject access requests were hard)!
So, don’t panic but whatever you do, don’t do nothing!
Rob is a partner in Fieldfisher‘s top-ranked Technology, Outsourcing and Privacy team (and is a self-confessed privacy geek). The Fieldfisher privacy team advises some of the world’s biggest brands on privacy compliance from its UK, European and Silicon Valley offices.
Get all the expert insights from our on-demand GDPR webinar.