Exploring the fact and fiction behind the upcoming General Data Protection Regulation
Data. The industry buzzword. From surfing the internet on your phone to the bank details on your computer, the term seems to traverse every conversation in relation to technology.
It’s a word you’re likely to read, hear and probably say a lot more over the next 12 months as the General Data Protection Regulation (GDPR) from the European Union comes into force on May 25. Businesses across Europe will need to take a stricter view to protecting the information they hold.
The primary purpose of the regulation is to strengthen and unify data protection for all European Union citizens, giving them back control of personal data.
As well as data protection, the impending regulations also give the subject of that information the power to see the details a company holds and the right to be forgotten when that information is no longer necessary.
With an update in rules there is a change in the financial implications of breaking them, which will grow from £500,000 to €20 m (£17.6 m) or four per cent of annual global turnover, whichever is greater.
However, ICT Reverse head of compliance Ken Parker argued that too much is being made of the fines, and that the current fine limit is still yet to be imposed on any business guilty of mishandling data.
He said: “Everyone is fear selling on the back of the €20 million fine that can be handed out but even today the maximum fine hasn’t been imposed yet.
“Currently the Information Commission Office can fine up to half-a-million pounds but the closest they have come are the Carphone Warehouse and TalkTalk fines which were both £400,000.
“GDPR is the biggest change in 20 years but no reason to panic’ Exploring the fact and fiction behind the upcoming General Data Protection Regulation
“But even then, these fines can be reduced by 20 per cent, albeit with no chance to appeal, if the ICO are paid quickly so there is still a £180,000 gap between what can be handed out and what businesses have paid.”
Houses In Order
Exonar chief marketing officer Julie Evans also noted the maximum fine is yet to be imposed – with the ICO confirming the new limit will only be reached in extreme cases – but added businesses will want to have their “house in order” to avoid the spotlight.
She said: “Nobody will want to be in the headlines for having a data breach and nobody wants to be in the headlines for noncompliance.
“I think the vast majority of organisations, particularly in the mobile sector because organisations in mobile are aware of just how rich the data is that they are holding, will have started work towards GDPR and will have lots of good practice in place already.
“It’s about tightening up some other areas, such as the additional consumer rights under GDPR, and how to do that without a huge operational drain.”
One of the larger points for GDPR is the increased control that will be given to the subject of the information that businesses hold.
As part of the new regulations, companies are required to be more transparent with customers as to what data it holds on a person, with that person also being afforded the right to be forgotten and the right to portability; in short, subjects will be able to find out what data a business has, and have it erased if the information is not needed.
However, placing control of data in the hands of the consumer also has the potential to drain company resources as millions of customers will soon have the right to have a request answered within a month.
Research from Exonar also pointed out that more than 9.5 million mobile subscribers in the UK will be making subject access requests (SAR) to their network provider once GDPR goes live in four months’ time.
However, Evans said this could be the tip of an iceberg as many consumers are unaware of GDPR and the power it will give them.
Evans said: “We spoke to several people and discovered that about 70 per cent of consumers don’t know there is going to be big change in privacy regulation.
“Once we spoke to these people about GDPR 57 per cent then said that they would be interested in raising a SAR.” Subject access requests are not a new revelation, though.
Under current regulations companies are obligated to abide by requests made to them, however once GDPR comes into effect businesses will not, in the vast majority of cases, be able to charge for the request and will only be able to refuse or charge if the data is substantial or not there in the first place.
If a request is refused, the data handler also has to tell the individual the reasons behind the decision and inform them that the individual has the right to complain within a month at the latest.
The ICO has advised businesses that could be given multiple access requests to consider developing a system to deal with the requests or make the information available online.
Westcoast head of mobile Darren Seward said contracts and agreement clauses are now being added to determine who is liable once a breech has been detected.
“We’re seeing a lot of contracts from suppliers will include that the supplier is liable as well because sometimes data passes up the channel to different suppliers or venders and vice-versa to their customers too.
“If you look at all the software packages, there is no ‘one size fits all’ solution that is going to help them so it may be a case of needing to pull in solutions from different vendors.”
According to Seward, the onus on compliance and to protect data has always been on the possesser of the information, however, the changes that will come into affect from GDPR will make companies think twice about their security policies.
“This is placing more and more emphasis on the possessors as more and more data is captured around customers.
“Things like credit card details, address details, credit files or transactional details is all data that needs to be kept secure.
“At Westcoast, we’ve had to go through all the different customers that we work with to make sure all of our systems are secure so that if there ever was a breach the system is there, we have a plan and instant response plan around it.”
Under the new regulations, companies will have to notify the relevant authorities and those affected by any data breach within 72 hours. Companies are also advised to put into place procedures to detect, report and investigate those breaches.
Seward added: “It’s really become important to have a policy or a due diligence, or even look at how to deal with data because if customer or employee data goes missing and you have no way of recovering or controlling it, that would make them liable
for a fine.”
To avoid fines the ICO have released a guide for 12 steps to compliance which clarifies the areas businesses need to be hot on to comply including auditing the information that is held, how to gain consent, the procedures to be put in place and the aforementioned access requests.
One area not yet touched on is the implications on the marketing world and how freely-given, specific, informed and unambiguous consent will need to be given in order for companies to use personal data and process it.
Parker said: “We are all familiar with these pre-populated tick boxes people use when they are doing online shopping which means you get hit with a lot of marketing as a consequence.
“Those days are categorically over, individuals will now have to explicitly give consent for people to use personal information.”
Evans also stressed the importance of knowing what information companies can hold and added that some may be caught out by the new regulations.
She said: “Companies need to understand the information that you’ve got and what the risk is in holding it, making sure that, where they are holding personal information, they have the legal right to do so.
“There are some big headlines that come under GDPR. I think most organisations are addressing them well but obviously it is worth thinking about.”
Along with the change in how businesses can gather consent, any consent previously given may also need to be sought again if it was not given in a way that will comply with the impending regulations.
But all is not lost with this new regulation. Seward says there is evidence that GDPR has opened a huge opportunity for businesses to capitalise on non-compliance. He added: “GDPR compliance definitely has been a pull for the past two years.
“People have been saying that this is coming and you need to be compliant or you need to put in place the necessary steps to protect your data and I think it’s probably now that people are waking up and realising that in May they will need to do something about this.
“You’ll probably find that bigger organisations such as banks and financial services have been doing this for a long time. Small businesses probably haven’t thought about this but it is something that they need to switch on to and look at.”
But Parker emphasised that, despite the large fines, companies needn’t panic about becoming compliant and that fear-mongering isn’t necessary.
“What I’m trying to get across is that people shouldn’t really panic, they should just not do more than is necessary an reasonable in order to comply with these
“Don’t get me wrong, it is probably the biggest change in data legislation for two decades and is designed to future-proof it.
“But it doesn’t have to be this fear mongering thing. I think a lot of people are trying to force this down people’s throats when there is enough information out there to start working towards complying with GDPR.”