The scramble for data privacy
We’ve all been caught up in the flood of data privacy emails in recent weeks as companies have scrambled to make sure their mailing lists have been positively opted into. The average adult is said to have about 100 'data relationships' – companies and organisations that hold our personal data. If that’s so we’ll each be on the receiving end of 100 GDPR-related emails. Many are receiving substantially more than that.
Is there a whiff of last-minute panic in the air? Some small businesses have called for an extension to the GDPR deadline on the basis that reconfirmations are averaging 10% and they’re losing 90% of their potential customers.
A blog published on 9 May by Robert Parker, the deputy information commissioner, tries to calm those worries. He states that “where you have an existing relationship with customers who have purchased goods or services from you, it may not be necessary to obtain fresh consent.” He adds that firms “do not need to automatically refresh all existing consents in preparation for the new law”.
However, Parker points out that the decision to review all op-ins depends on the business. The practice is not mandated by the ICO: “It will be [each business’s] interpretation of what they need to do to be compliant,” he says.
As business leaders we should already have familiarised ourselves with what steps we needed to take to deal with GDPR. But the important thing is that 25 May 2018 was never set as a deadline. It’s a start date, after which you have to be able to produce certain information pretty well on demand.
And are you ready for that?
Could you cope with subject access requests?
GDPR establishes new rights for individuals, including:
· The right to be forgotten: data controllers must erase all personal data without undue delay in certain circumstances, when so requested. That might mean instructing others – your ‘data processors’ to carry out the instruction.
· The right to data portability: where individuals have provided personal data to a service provider, they can require that provider to make sure it can be readily transferred to another provider.
· The right to object to profiling: your customers can object to being subject to a decision based solely on automated processing.
When you talk about everything like this in such an abstract, arms-length fashion, it’s easy to overlook actual use cases.
We already know that anyone in Europe can ask to see what data companies hold on them. But as The Guardian recently pointed out, that means your employees could choose to file ‘subject access requests’ (SARs) about their own employers.
There’s nothing to stop your staff finding out what their boss or co-workers have been saying about them. If you’re the employer, you’ll have 30 days to collect a cache of all the information such as performance reviews, job interviews, payroll records, absence and disciplinary records, computer access logs, CCTV footage, and recordings of phone calls to, from or about the person.
As we said earlier, GDPR is about tightening up what you should have been doing already, so such a scenario isn’t actually new. It’s just that the turnaround time has been reduced (from 40 days to 30), you can no longer charge £10 for fulfilling a SAR (which might have put some people off), and publicity around GDPR has now brought this state of affairs to the attention of a much wider range of people.
The Guardian notes that “some data privacy experts warn that [such requests] could be exploited by activists to punish a company. A group of unhappy former employees could all file requests at the same time, forcing the company to dedicate resources to respond within the 30-day timeframe.”
To take another example, say 10,000 external activists decided to target your business with a simultaneous bunch of SARs. Before GDPR they’d have at least had to commit £100,000 to making the requests in the first place. You might not even hold data on the individuals making the requests and you might have justifiable (under GDPR) reasons for not releasing the information. But you’d still have to respond to every one of those people within 30 days even if you’re only stating the reason for refusal.
As Richard Thomas of Capital Law points out: “It is highly unlikely that organisations will be able to avoid their responsibilities in providing data in response to a valid request.” In theory, a massive volume of SARs could cripple a business as it struggles to cope.
Improving your data governance and ability to respond
To deal with scenarios like those outlined above – and many more besides – you simply must have a good grasp on your data. If any information exists it can be audited, even if it’s lying around on an old server or tapes that are no longer used, and you need to be able to get hold of it easily. You can’t simply destroy all this old stuff without processing and recording it.
The use cases above may seem like extreme examples, but we think that once a few high-profile cases involving SARs have appeared in the media there may well be a natural uptake in such requests to organisations of all types. This law firm blog highlights the effort that needs to go into fulfilling a SAR, so be in no doubt that being able to respond could require a considerable commitment of resources.
If you don’t respond to a SAR you could get hit with the famous GDPR fines and, yes, failure to implement or adhere to a subject access request process does put you in the firing line for the top tier of up to 20 million Euros or 4% of group worldwide turnover (whichever is greater) against both data controllers and data processors.
It’s not all doom and gloom though. Your supply chains and third parties are also having to comply, which means GDPR is making it much easier to keep tabs on what they’re doing with your data. And Computer Business Review optimistically points out that there have been business advantages for those who have got their act together: “There are instances where companies have improved their productivity and efficiency by more than 20% through GDPR compliance alone and gained 24 working hours back each week.”
The importance of reporting and auditing tools
Moving forward, your focus needs to be on making data visible and accessible to ease the stress of managing SARs.
For companies that have already gone through the pain of migrating their data to the cloud, not only will that data have been carefully examined and sifted but it will also have left in place an audit trail. As Microsoft puts it: “Meeting compliance with the GDPR will cost time and money for most organisations, though it may be a smoother transition for those who are operating in a well-architected cloud services model and have an effective data governance programme in place.”
Tools built in for auditing and reporting will help and, of course, Microsoft will be delighted to tell you all about its own GDPR compliance capabilities. We certainly think cloud services like O365 and Azure can help, because so much of what you need is built in by default. And if you need even more, there are a number of specialist reporting systems that can overlay your solution and that go even further.
So we’d suggest you take a good look at how you manage and retrieve data, and how you can minimise the potential interruptions to business of having to deal with a potential increase in the number of SARs. Life in the age of GDPR isn’t all about preventing and acting on security breaches.
And contrary to what the public at large may think, it’s not simply about making sure your data opt-ins are compliant.