Written by Justin Baxter, Neil Adams and Neil Mockett from Crowe Horwath
The deadline for the enforcement of the General Data Protection Regulations (GDPR) provisions in May 2018 has finally reached the agenda of most companies. It coincides with an increasing fever pitch in the press and on social networks regarding cyber attacks, hackers from the east, Smart TVs watching us, et al. Privacy is news. Businesses that get caught out on privacy matters are subject to huge focus in social networking circles.
The recent focus on GDPR as “something new” is a surprise though. The regulations are an extension of the UK 1998 Data Protection Act and the EU GDPR regulations were technically in force from May 2016. It is an unfortunate fact that this new regulation is turning the spotlight on how lax some companies may have been since 1998 and as a result the scale of the current programme to address GDPR provisions suddenly appears very significant.
Privacy and Security
Privacy is an individual thing. It is increasingly apparent that as individuals we need to be more aware and protect our digital existence. Firms have to accept that the “privacy train has left the station” and people are demanding more control over personal data.
Central to the issue are two core principles: the respect for privacy; and the provision of adequate security. Importantly, underlying this is the notion of custodianship. It is this custodianship that should be considered as a key corporate responsibility and one that defines the seriousness with which firms have responded. In the event of a breach of privacy, this is where the regulators will look first.
Appreciating how you are impacted as an individual is relevant. It is hard not to conclude that the provisions of current privacy laws are not keeping up with the pervasiveness of today’s technology. It is a salutary exercise to count up the number of devices connected to the internet in your home – most are capable of enabling access and extracting information. The latest concerns expressed by Tim Berners-Lee that we have lost control of our personal data is timely. Whether we like it or not, privacy matters.
Why GDPR is different
Successfully addressing the requirements of GDPR requires a number of important challenges to be overcome.
- Striking an appropriate balance between commerciality and assessing the probability and severity of fines, loss of shareholder value and damage to reputation.
- The issues facing the firm are genuinely cross-business and will bring elements of judgement, disagreement and in some cases conflict.
- May 25th 2018 is a key date, but there is no big bang. Regulators are expecting evidence of accountability and the journey being undertaken by firms.
- There is no “one size fits all” approach. It is essential that firms can show the regulators that issues are being addressed appropriately.
- There will be a subjective nature to many of the decisions taken by each firm and guidance continues to emerge. Waiting is not an option, so pragmatic positions will have to be taken.
- There is a necessity to review the responsibilities, contracts and processing being completed by third party providers; this tends to be an area that has previously been neglected and will lead to surprises in many cases.
All these points will test a firm’s approach to risk and risk appetite for data protection related activity. At the end of the day, data protection is just another operational risk.
Stewardship: The CFO is no stranger to stewardship. The addition of custodianship should fit quite easily but requires absolute confidence that all preparations for GDPR are sufficient.
Lines of Defence: Executives within the “second line of defence” will have a key role in ensuring an independent perspective is maintained. Executives in the “first line of defence” will be confronted with many of the decisions and implications of GDPR driven changes and what is a proportionate response. The CFO and CEO may be drawn into debates about both areas.
Managing GDPR incidents: In the event of breach, it will often be the CFO and CEO in the spotlight, with tensions rising as the matter may become an exercise in crisis management. Anecdotal evidence suggests that the “finger pointing” starts very quickly. At which point, it will be too late as one of the first tests will be to evidence that reasonable steps had been taken to prevent the incident happening.
It starts with taking the view of the customer
In assessing any privacy issue, the key question is “What would you have expected the firm to have done?” Fuelled by privacy stories, customers will learn quickly of their rights and will have expectations of what response they will get when approaching your business to exercise these rights. They will also assume that should something happen it is controlled and they are informed. Firms need to beware of the power of the customer to disrupt; especially with the viral nature of social media. The inclusion of the customer view from the outset will mean that this dialogue, should it arise, will better reflect the intended approach of the firm. Custodianship is a serious responsibility.
Pragmatic steps to ensure appropriate oversight and control
Senior executives should own the GDPR programme and maintain a keen eye to ensure it does not drift into a purely second line compliance project..
Progress assessment: The hardest question to answer in absolute terms is “when will we be compliant with GDPR?” A number of dimensions can be constructed around some simple principles: the less sensitive data you lose, the more manageable the response; the more that you understand what personal data you have, the better you can secure it; the more information you can provide about a breach, the more likely you will receive an empathetic hearing from customers and regulators. Measures should be designed to help people understand “how far” you have secured a reasonable position. It will focus minds.
Risk based approach: It will be essential that a risk based approach to GDPR related decisions is taken. Decisions on data minimisation and retention periods, for example, will expose tensions between the need to comply and the commercial and practical implications of deleting customer data.
Governance and Accountability: The GDPR regulations assume an ongoing commitment by the firm to embrace privacy and security responsibilities. There is no big bang and therefore, arguably, no obvious finishing line. The voice of all stakeholders across the GDPR programme need to be represented through to the Board.
Measuring operational impacts: There will be operational implications should customers past and present exercise their new rights under GDPR. For example, early indications suggested that there would be a 25 – 40% increase in the numbers of Subject Access Right requests. To this number needs to be added an estimate for the new provisions (including the right to be forgotten, portability etc.). Will current response processes be up to it?
Pragmatism is the watchword: Implementing regulatory change is not straightforward. A pragmatic and practical approach is essential to overcome many of the issues that will be raised. The risk of projects becoming detached from the realities of running a business are high: the message of effective custodianship will help. The firm must demonstrate and justify the pragmatic judgements taken on the journey towards their compliant position. Permitting every possible aspect to be debated at length will likely result in compliance paralysis. Therefore, the importance of proportion and measured decision making cannot be overstated.
Personal data is an asset and companies are the custodians. The expectation we have about the behaviour of how other organisations handle our own personal data should influence our own roles within our organisations. The way we work with colleagues to achieve a level of assurance and mutual confidence is key. There are effective ways to think about and implement regulatory change, which need to ensure that the response to the various challenges of GDPR as outlined above are appropriate, measured and reasonable. In the event of having to react to any privacy incident, having a clearly agreed position on the custodianship responsibilities will be a good place to start a defence.