With four weeks to go until GDPR comes into force, data controller organisations of all shapes and sizes may be feeling some anxiety as to whether they are yet fully compliant, or more realistically, whether they have done enough preparation work to satisfy the ICO – should it come calling – that they deserve a sympathetic hearing for any shortcoming.
Some general reassurance
GDPR has been one of the most hyped of legal changes in the past decade, with much made of fines of up to 20 million euros and the hard implementation date of 25 May – with no further transitional relief. However, the good news is that:
- The ICO itself has been making increasingly reassuring noises about the 25 May deadline and its attitude to enforcement. On 12 April the Information Commissioner herself said in the ICO monthly newsletter: “For those that feel there is work to be done – and there are many of those… – I want to reassure you that there is no deadline. 25 May is not the end. It is the beginning.”
- These rather Churchillian words reinforced her message last August: “It is scaremongering to suggest we’ll be making early examples of organisations for minor infringements or that maximum penalties will become the norm… issuing fines has always been, and will continue to be, a last resort”.
- And too the ICO’s comment that “if you are complying with [the existing law] and have effective governance in place … you are already well on the way to being ready for GDPR”.
- The ICO has also signalled a degree of tolerance for smaller organisations with fewer resources, saying “we know there are particular challenges for small organisations in preparing for the new law”.
- What will certainly not impress the ICO are signs that a data controller organisation has not engaged with GDPR over the two-year preparation period and is not yet “on the journey” towards compliance. Or, worse still, that it had not really engaged with the existing law in the form of the Data Protection Act – which has been in place since 1998.
- It stands to reason that the ICO's expectations of organisations which process large volumes of personal data, or which process particularly sensitive personal data, will be higher. The more so if the organisation is of significant scale and resources; although a particular risk category is organisations with fewer resources which nevertheless process large volumes of data, or particularly sensitive data.
- And finally, and very importantly, enforcement is not something which is exclusively in the ICO’s remit. Enforcement is just as likely to be driven by individuals complaining about an organisation's lack of compliance – the ICO has an obligation to do something about those complaints. Though the ICO might not start issuing fines straightaway, it may well use other powers, such as its power to require organisations to come into compliance in a short time-frame or stop processing the data altogether. This could mean organisations having to fix fundamental structural issues around how they process data and share it with others, with very little time to do so. This is not inconsistent with the ICO’s reassuring noises but is still a major headache for organisations.
What are the core risks? What are the baseline steps any data controller organisation should have taken before 25 May?
This will vary depending on the processing profile of the organisation – and many will (and must) have done more. But in our view key steps are as follows:
- Governance. Allocation of responsibility for GDPR (and data protection as a whole), by senior management, to a suitable and relatively senior individual, who has started “the journey” of understanding the basics of data protection from, for example, the ICO’s Guide to GDPR and other guidance notes of particular relevance to the organisation.
- Know Your Data. Undertaking and documenting at least a rudimentary audit of the types of personal data held by the organisation – and how data is collected, used, shared, secured and stored.
These two are fundamental steps. They should provide the organisation with some form of “data register”, and in fact a “data risk register” – i.e. a record of the data you hold and an indication of where there may be issues which need to be addressed under current law, or the new GDPR rules – and someone to lead the process of addressing them.
You may very well already be at or beyond this stage: in which case, what are the universal priority action points? It is instructive to look at the fines and enforcement action which the ICO has taken over recent months and years. There is no particular reason why its priorities should change – the data processing principles which underpin this (very much principles-based) law are not changing that much, and some of the key obligations for data controller organisations are not radically changing either.
- Data security, and reporting data breaches. The new breach reporting regime (mandatory reporting within 72 hours) has been well-publicised, although a better picture of expected practice in relation to minor breaches will emerge in the months following 25 May. The law is not changing much in terms of data security obligations but GDPR should be a prompt to review data security of more sensitive and confidential personal data. Your data protection manager should, too, be ready to report “data breaches” in line with the new rules, to the ICO and potentially to affected individuals. And you must have given thought to outsourced data processing arrangements, particularly to contractors outside the EU: how secure are those arrangements, and how robust is your contract in each case. Those contracts will strictly need revision or renewal for GDPR, but if time does not permit that before 25 May then, in every case, business-critical and sensitive contracts should be prioritised.
- Direct marketing (and charitable fundraising). The ICO has ramped up enforcement in this area in the past 18 months under existing law, with charities particularly singled out, largely for wealth screening activities. However, fines have also been issued for email direct marketing campaigns too: for example, Royal Mail (April 2018, concerning a “service” message that was promoting the prices of its services) and, most controversially, Honda (March 2017) for what many would have considered a very unintrusive attempt to check uncertain consent profiles. If you are engaged in direct marketing (and it is very widely defined) by email or phone, care is needed and the law is tightening up in May because of the higher standard of consent: opt-out consents are no longer considered sufficient.
Another important action point is:
- Privacy notices: what you tell the individuals whose personal data you process. Here the rules are changing significantly. This is a job that cannot be ignored before 25 May because it is such a public sign of an organisation’s compliance (or not). GDPR requires data controller organisations to issue much fuller notices of what they do with personal data than previously. And – another change – it requires them to “provide” these notices to individuals, and not just “make them available” via websites. Organisations should aim to refresh their privacy notices/policies for (1) customers/members/website users; and (2) staff.
And – document what you are doing: this is required by GDPR and will be very valuable. If (most obviously because an individual complains to the ICO for some reason), the ICO asks questions, you may well need to demonstrate your “good data protection citizen” credentials. This “accountability” principle is a hot topic for the ICO right now.
What else? What next?
While a calm, targeted approach to next month’s deadline is to be (cautiously) endorsed, the ICO won’t be impressed by a data controller organisation sorting, broadly, the absolute basics and then sitting back and doing nothing.
What is listed above are what we think are the really central issues on which progress must be made before 25 May. It is possible that the "Know Your Data" exercise will point to other very important and immediate action points, perhaps particularly around any “special category” and criminal conviction data – the old category of “sensitive personal data” – which is more tightly controlled under GDPR. It may also suggest that you need to take action on data governance issues such as making a formal appointment of a Data Protection Officer, or putting adequate protections in place where you transfer personal data outside of Europe.
Whether or not the audit points to important immediate further steps, there will be other compliance programme action points to work on (on which resources should be deployed) over the coming months. These include:
- Training and guidance for staff – at all levels, appropriate to their data handling – to include review of IT policies;
- Staff contracts – these would benefit from a review, and likely need updating for consistency with the new staff-facing privacy notices mentioned above;
- Registration with the ICO – review of the new rules on this, and ensuring that the organisation remains properly registered, and that your organisation makes internal records of data processing;
- Data retention – review and refreshing of policies on data deletion; and
- Data subject rights – understanding the new rights available to individuals on top of the existing data subject access right (which we suspect will remain the most frequently used by individuals).
Organisations should also think very carefully about how they respond to enquiries about GDPR compliance. Obviously, a letter from the ICO is likely to sound the necessary warning bells, but also be careful about seemingly casual enquiries from individuals about GDPR compliance. Answering those initial questions in a careful and considered way is important in ensuring that the organisation does not attract further scrutiny unnecessarily.
Finally, remember that GDPR (and the linked new Data Protection Act) is not the only pending change to data protection law. Sometime in 2019/20 the new ePrivacy Regulation will sweep away the current PECR rules, with significant implications for cookie usage (particularly in the personalised advertising context) and direct marketing.
If you require further information on anything covered in this briefing please contact
Henry Sainty, Ian De Freitas, Alan Baker, Owen O'Rorke or your usual contact at the firm on 020 3375 7000.
Further information can also be found on the Data Protection page on our website.
This publication should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, April 2018