In less than a year, Europe’s GDPR Will Change Data Protection in May 2018 – Are You Ready?data protection rules will undergo their biggest changes in two decades. Since their creation, the volume of digital information we create, capture, and store has vastly increased. Simply put, the old regime was no longer fit for purpose.
The solution is the mutually agreed European General Data Protection Regulation (GDPR), which will come into force on May 25 2018. It will change how businesses and public sector
organisations can handle the information of customers. To find out more about what GDPR
will mean, Council Journal spoke with founder of IT security firm ISAS (Information Security
Assurance Services), Conor Flynn, who has over 25 years experience providing information security advice to a wide range of public and private sector organisations.
Coming into force next May, Conor explains that “GDPR is seen as a move across Europe to improve the old data protection acts which have been with us since the 1980s, albeit with a number of revisions. There was quite an inconsistent implementation across the EU with the old acts; the EU issued a directive and then it was up to each local jurisdiction to transpose that into a piece of legislation and make it an act locally. For instance, it took Ireland seven years to transpose the original directive which came out in 1981 into an act here”.
When the EU issues a regulation it is immediately binding in all countries, it does not need to be transposed into local legislation, which makes GDPR significantly different to its predecessors.
What makes GDPR interesting, according to Conor, is that it came into force in May 2016 but will not begin to be enforced until May 2018: “A lot of people are looking at May 2018 as when this will become applicable and that is not the case. It became applicable in May 2016, we are now in the adoption phase, so next May is when the fines and audits will start based on the regulation. Many people are working on the basis that they only have to start working towards compliance next May, you have to finish compliance by next May”.
There are some significant implications for the public sector in particular: “GDPR defines that every public sector body, regardless of size, that handles any personal identifiable information must have a data protection officer. Now, a lot of organisations in the public sector already have data protection officers but often times it’s a combined role. It might be someone who is head of IT or in HR but what is going to particularly impactful in the Irish public sector is that those roles are now seen as conflict roles for data protection. They cannot exist with them”, he explains.
The regulation has called out some very specific competences that the data protection officer must have: “They must have quite a lot training, a good technical knowledge of systems within the organisation and they must be of a senior level because they have to be able to go to the management board to report any non-compliance. They also have protection, somewhat similar to a whistleblower, they can’t be disciplined or have any impact on their career for doing their job as an officer”.
While the regulation doesn’t require legislation to come into effect in May of next year, it does need legislation to support some specific pieces of enactment at a local level. As Conor explains, “For instance, the age of a child is defined differently in varying European countries and the specific controls with regards to how you handle the information of a child, so that has be dealt with locally. Also, there is discretion to each country as to whether or public sector bodies will be fined for breaches and there is a little bit of tension here. The draft bill is proposing that public sector bodies can’t be fined in Ireland but the data protection office is lobbying that they should be fined”.
In the private sector however, the fines are going to be far more onerous and we’ve seen some very public headlines about fines of up to €20 million and up to four percent of global turnover. While these don’t apply so much to the public sector, what does apply is the ability for the data subject, the citizen, to sue the controller or processor of their data in the event of the breach.
Explaining, Conor says; “The regulation foresees that any settlements in a case like this should be dissuasive and should be more than compensating the injured party for their injury. There have to be non-compensatory payments made as well, which means the stress or discomfort of somebody who has suffered a breach would result in a payment which is worrying”.
Elaborating further, he adds; “There is a lot of responsibility and accountability coming towards the various data controllers in both public and private sectors. What is going to make it more difficult in the public sector is there are very specific requirements to the role, functions, competency and independence of data protection officers while at the same time, they are still exposed to the settlement of lawsuits”.
So, with the possibility of serious sanctions for non-compliance how should organisations be preparing? First and foremost, Conor believes organisations should contact their corporate risk register because this is a risk to the business if you don’t.
“One of the most effective ways to get senior management to commit human or financial resources to anything is to get on a risk register and put an appropriate risk to the business on it. We’ve talked about what the sanctions are; you can be fined, you could have people taking you to court, you could be named and shamed in the data protection commissioner’s annual report but one of the other sanctions they have is they can actually stop you processing, if they feel you have had a breach or you have acted in a negligent or inappropriate way. They can come in and make you switch off your systems, so you can imagine the impact on a business if they had to stop processing, people need to get this up on their risk register”.
What is a Corporate Risk Register?
The Corporate Risk Register is designed to record the evaluation of corporate risks to the Board or management, and to inform those responsible for managing those risks about actions taken and planned to mitigate them. This in turn helps to ensure that all significant risks have been suitably identified, assessed and managed.
Conor also believes organisations should be undertaking a readiness assessment or audit to identify the size of the problem and to understand the impact of applying the principles and rights of GDPR to the data, adding “There is quite a bit of work to be done but the worst decision management can make is to do in nothing.
Aside from inaction, Conor is worried that many organisations may be viewing GDPR as a project and it is not; it is process. “This is a permanent part of your world for the future and it can’t be something that you throw lots of capital resources at to buy equipment and software, and your GDPR is done. GDPR is about privacy. It is about the entitlement of the data subject. It’s not about security, encryption or buying the latest piece of software”.
He is also keen to stress that it might be that you make no software adjustments and become compliant”. What a lot of people are missing in this whole debate is GDPR also covers paper records, not just electronic. You can’t apply encryption to paper so you must have your processes in place; how you engage with the citizen, how you gather your data, how you get rid of it, how you control access to it and so on. These are privacy issues, the technology controls will come out of how you will manage that. It is not a technology project first and I think that is getting lost in some of the discussion”.
GDPR will no doubt instigate huge changes across Europe and Conor firmly believes GDPR is a good thing, simply put, he says “it is giving the citizen back control of their data and I think this is vitally important. This is not about bureaucrats or consultancy companies selling time or IT security firms selling product; it is about the European Union taking a stance with how Governments, organisations, law enforcement and various bodies use people’s information. It’s about putting a little bit of manners on organisations who will have access to, or require a large amounts of data, to make sure what they are doing is done in an appropriate way and not excessive”.
GDPR is changing how businesses and public sector organisations can handle the information of customers and citizens. It is a permanent part of our world for the future and it cannot be ignored; the potential consequences of GDPR non-compliance are simply too high not to.