Why its wise to press on with data protection compliance
GDPR is now two years old, like a legislative toddler taking its first steps. And as another anniversary passes, the legislation has gathered many critics. The question remains; is GDPR an over-complex drag on business, or a ground-breaking response to the 21st century data landscape?
Wrinkles were inevitable in such a complex piece of law, yet some business journalists turned their guns on GDPR as a shining example of everything wrong with EU law.
Some of this criticism is fair, some of it doctrinaire.
GDPR and Brexit
With Britain set to leave the EU at the end of the year, the guns aimed at GDPR have been reloaded, leaving some industry observers wondering what elements will survive.
Whatever shots are fired, it’s likely GDPR (with UK tweaks) will remain, and so far this is the cited intention of the UK Government. The alternative may scupper any chances of achieving the golden grail of ‘adequacy status’ from the European Commission (whereby data can flow freely, if the UK is deemed to have similar standards of data protection).
All governments continue to grapple with the challenges of modern communications technology. As the tech giants who dominate the online arena grow ever-bigger and ever-hungrier, the idea UK PLC will jettison the spirit of GDPR’s protections seems fanciful. (But we’ll have to wait and see, nothing can be ruled out in the current climate).
So, GDPR’s faults notwithstanding, there are good reasons why organisations should remain focused on data protection. The unwary who think GDPR will end up on the post-Brexit scrapheap might fall into the complacency trap. And it’s a big trap, especially for organisational reputation.
Your customers now know their rights
GDPR made data protection everyday news. People know the duty organisations have to look after their personal information. The ICO’s 2019 Trust and Confidence Survey shows consumers are increasingly aware of their privacy rights year on year. Some organisations will know this all to well with the rise in individual rights requests they’ve received.
Your staff, customers, partners and clients know you should be taking care. The organisations who embrace a proactive privacy by design approach know it’s good for business and use it as a brand asset.
Regulators lack clout
It’s no secret data protection authorities across Europe are under-resourced. This lack of ‘equality of arms’ means their capability to tackle big tech companies with billion-pound turnovers is questionable. This is acknowledged in a GDPR ‘birthday’ statement from the European Commission.
“The GDPR has changed the landscape in Europe and beyond. Nonetheless, compliance is a dynamic process and does not happen overnight. The national data protection authorities, as the competent authorities to enforce data protection rules, have often not yet reached their full capacities.
We therefore call upon Member States to equip their data protection authorities with the adequate human, financial and technical resource to make effective use of their enforcement powers.”
In the UK, it’s also been announced that a New York based consultancy, Oliver Wyman, is being pulled in to review the ICO’s work. While the Regulator insists this is a routine planned review, others suspect otherwise. What changes this ushers in, remains to be seen.
Covid-19 and data protection leniency
The ICO faces criticism and praise in equal measure for giving businesses some leeway during the current pandemic. Information Commissioner Elizabeth Denham sets out why she believes a measured approach is appropriate at this time.
“Regulators apply their authority within the larger social and economic situation. We see the organisations facing staff and capacity shortages. We see the public bodies facing severe front-line pressures. And we see the many businesses facing acute financial pressures. Against this backdrop, it is right that we must adjust our regulatory approach.”
Yet more debate surrounds the ‘pause’ on ad tech investigations. But as the ICO’s Richard Nevinson, Group Manager for Policy and Engagement, made clear in a recent DMA ad tech webinar, “now is not the time to take the foot of the pedal”.
This marks a pause not an end to the ICO’s work in this area, and with many organisations having some way to go, it’s a good idea to press on with the work you’re doing.
(Also see: Covid-19 Privacy under the spotlight)
Does the number of fines matter?
“Where are the fines?” – a rallying cry, especially in the UK. And yes, there’s another delay in the intentions to fine Marriot and British Airways. (Perhaps now is not the time to issue massive fines in sectors so badly impacted by covid-19).
Across Europe there have been over 150 million euros worth of fines. In this handy GDPR enforcement tracker, (if you’re a geek like me) you can see where organisations are falling foul. These include failures surrounding data retention, security and individual rights.
Calling for more fines may well be a case of ‘be careful what you wish for’. The ICO, for its part, has always stressed it will take a measured approach and fines are not the only course of regulatory action. The ICO also continues to put organisations on the naughty step for breaching marketing rules.
What’s clear is no one wants to be in the reputational spotlight, as pharmaceutical supplier Doorstep Dispensee found out when they claimed the unenviable title of first UK company to be fined under GDPR.
The wise won’t be focusing on the slow pace of regulatory action. Those that think it doesn’t matter anymore; the ‘we’re unlikely to get caught out’ mentality, may come unstuck in the coming years.
GDPR shines a light on cyber-security
The drive for data protection and information management is not new, but GDPR increased the focus on both preventing and avoiding security and privacy breaches. GDPR is complementary to infosec, as Martin Turner, Managing Director of our cyber security partner, Full Frame Technology explains.
“We’re often asked whether cybersecurity and data protection are the same thing. They’re not! You could invest limitless sums in securing your organisation and still fail to protect data adequately. A definite benefit of the GDPR has been to raise the profile of data privacy, and with it the opportunity to talk about how to secure an organisation effectively. For us, that always begins with understanding how to build information security into the fabric of a business so that it becomes an asset, not simply an expense.”
Does GDPR stifle innovation?
GDPR stands accused by some of stifling innovation. But does it? Perhaps it makes you think more carefully about what you are intending to do; makes you think whether it would really be in people’s reasonable expectations.
Regulations are easier to navigate when they’re fully understood, and some decisions made that cite GDPR as the reason, just illustrate the old saw about a little knowledge being a dangerous thing!
If Zoom has paid more attention to privacy by design from the outset, it wouldn’t have found itself splashed across headlines and playing privacy catch-up when business unexpectedly boomed.
Remember those pesky Data Protection Impact Assessments (DPIAs) really are valuable – revealing unnecessary risks to your business and your customers.
It’s not about ticking boxes
It’s easy to get stuck in a rut, seeing compliance through the prism of paperwork and tick boxes. Instead see data protection as an opportunity to engage with your customers about how their data is used.
Organisations have already proved you can do this in an engaging and compelling way. Let your creative marketing teams loose to express your brand values.
Customers, especially those who’ve grown up with the Internet, are tech-savvier than ever before. They’re more likely to appreciate a transparent approach to privacy.
Businesses embracing and being creative around transparency and giving customers control are successfully gaining trust and building their brand image.
Furthermore, it’s not just about your customers. Potential partners want to know they’re doing business with organisations taking data protection seriously. Suppliers will also be familiar with the dreaded due diligence questionnaire and meeting their contractual obligations.
People want to do business with companies they respect and trust.
Philippa Donn, June 2020
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.