Guy Cullom, head of 3gamma’s risk and assurance capability was interviewed by Jesper Nordström, head of marketing at 3gamma.
You wrote an article on the GDPR a few months ago. Are there any further developments since then?
Yes, most definitely! There has been a huge milestone passed recently as, following a vote on Thursday 14 April 2016 at a plenary session of the European Parliament, the final text of the General Data Protection Regulation (“GDPR”) was formally adopted by the European Parliament. This is very important as it is highly unlikely that there will now be any fundamental changes to the legislation in its current form, and means the text is now formally adopted and is the final stage in the long legislative journey since the first draft was published by the European Commission in January 2012.
Next, the GDPR will be published in the Official Journal of the European Union by the Secretaries-General of the Parliament and of the Council. 20 days after publication, the GDPR will come into force (i.e. likely in May 2016). However, organisations will not be subject to enforcement under the GDPR at that stage. Instead, there will be a two-year grace period, after which the GDPR’s provisions will become enforceable (i.e. likely in May 2018).
So how exactly will it be enforced in all 27 member countries?
Existing EU data protection authorities, such as The Information Commissioner’s Office (ICO), the UK’s data protection watchdog, and the Swedish Data Protection Authority (DPA) Datainspektionen in Sweden will be given more powers so they can better enforce the GDPR rules at home. For example, they will be empowered to request records concerning data protection compliance and fine companies that violate GDPR data protection rules.
In addition, EU Data Protection Authorities, as well as the Article 29 Working Party and the newly formed European Data Protection Supervisor, will individually and collectively begin to issue guidance on the application and interpretation of the GDPR, with the aim of helping organisations achieve compliance with the requirements. This guidance is expected to offer detail on certain issues in the GDPR that are not totally clear from the current text (e.g. several of the new data transfer mechanisms set out in the GDPR require significant further explanation before they can be used in practice).
The European Data Protection Supervisor will be the supervisory authority at EU level with responsibility for:
- Monitoring the processing of personal data by the EU institutions and bodies
- Advising on policies and legislation that affect privacy
- Cooperating with local authorities to ensure consistent data protection.
The legislation is fiendishly complicated though, and many predict it will take companies and regulators a good while to get their heads around it. Data breaches, for example, must be reported within 72 hours – a regulation most agree could be extremely hard for businesses to realistically comply with.
So how can companies comply with such complicated and vague legislation, it seems like a minefield?
Many forward thinking organisations have had this on their radar for a while. They have provisioned funds in 2016/17 budgets to mitigate this risk and are working on improving and documenting their data governance, as this is a basic objective of the GDPR. Others have been playing the ‘wait and see’ game, hoping the legislation would get delayed, rejected or buried in EU bureaucracy. Unfortunately for these companies none of these things have happened, so they are now facing an uphill struggle to achieve compliance within the next two years. It will be particularly difficult for organisations who are not currently PCI compliant, or who are not ISO/IEC 27001 certified, as both of these standards are closely aligned with the GDPR data privacy principles. The key message here is that doing nothing is no longer an option. Two years are a very short timeframe to implement all the various requirements and will take a large investment in time, money and board-level sponsorship to meet the May 2018 date.
Isn’t this just another big legislative stick to beat EU companies with?
Well, lots of people are viewing it that way, and there is a lot of bad press at the moment, but it will create opportunities for companies to work better together whilst protecting customer data rights. For example, once an organisation has the GDPR seal of approval, they can demand their suppliers and vendors also are approved, and only deal with GDPR compliant organisations, which will reduce security risks in the supply chain. It will also provide assurance that cloud and ISP providers are meeting the beefed up data processor requirements of the regulation. This means a level playing field and the same rules for all companies – regardless of where they are established or in what jurisdictions they operate.
You have to remember also that the huge punitive fines and sanctions quoted in the press (and amongst the top of the items concerning C level management), will only be imposed in cases of clear flouting or disregard of the rules, i.e. suffering breaches due to existing vulnerabilities such as devices not updated after security patches released (which was the case with two recent UK cyberattacks on Talk Talk and Ashley Madison – the affair dating site that lost all its customers’ extremely private data!). However, companies that can demonstrate taking all reasonable steps to achieving security compliance and have a clear data governance policy in place, will likely be given a period of grace to mitigate any gaps in the event of an attack.
Achieving GDPR approval will also improve consumer confidence and lead to increased market share compared to non-compliant businesses, as more people are becoming concerned about their personal data usage and security when passed to a company. Organisations that can boast a GDPR seal of approval will be the preferred choice for these types of customers.
“The level of risk associated with the GDPR has catapulted data protection into the boardroom.”
Jane Finlayson-Brown, Partner, Allen & Overy LLP
So what is your advice on what companies should do?
The first and most crucial step is to get board level buy-in. It really is that important; all the efforts of an individual area, such as IT, will count for nothing if it is not a holistic company-wide approach. Secondly, it is critical to get a total overview of the company’s data; where it resides, who has access and who is responsible for its integrity, in order to get a clear ‘map’ of the current enterprise data landscape. This then forms the basis for auditing the current policies, processes and procedures to reveal any non-compliant areas.
The appointment of a data protection officer (DPO) will also be mandatory for many companies. The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.” I am starting to see a large increase in demand for DPO roles advertised – although the available expertise seems scarce, so therefore salaries demanded are high, and many companies are worried they will not be able to recruit the necessary skilled people.
The GDPR strongly promotes techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymisation (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorised can read it) to protect personal data.
This is most effectively and efficiently achieved by having an ISMS compliant with the international Standard ISO27001:2013, which provides the holistic, all-encompassing approach to information security that is critical to support compliance with the GDPR and other cyber security laws and regulations.
I have also recently been working with one of 3gamma’s clients to align their loyalty programme to the new GDPR requirements, and I think this is another major area that is slipping under the radar with all the more attention grabbing articles – ‘The Privacy by Design’ principle. This means all projects and programmes must incorporate data protection in the design phase and by default, e.g. data minimisation. Article 23 (data protection by design and default) further enshrines Privacy by Design ideas. The article is more explicit about data retention limits and minimisation in that an enterprise has to set limits on data (duration, access) by default, and it gives the EU Commission the power to lay down more specific technical regulations at a later time. I expect there are many sizeable programmes underway that will need a fundamental redesign to meet these new GDPR rules.
Any final thoughts?
As the new GDPR is only two years away, and the implications for businesses, especially those who operate multi-nationally could be immense, the organisations that get out in front are likely to gain the advantage and avoid the last minute panic that will surely engulf some industries in late 2017 (think Y2K!)
I strongly recommend engaging skilled resources who can navigate the current minefield and steer the enterprise through this extensive piece of new legislation over the next two years. At 3gamma we have wide-ranging data protection and ISMS expertise that help organisations effectively prepare for the EU GDPR, without recruiting extra headcount or appointing someone in-house who may not be sufficiently trained and skilled. Our specialist consultancy team can assist with enterprise data governance assessments, gap analyses, selecting and implementing an appropriate ISMS, and data protection audits.
Please call us to know more.