If you think Brexit means that the European Union’s General Data Protection Regulation 2016/679 (GDPR) is no longer relevant you are entirely mistaken. Not only does the transnational nature of the GDPR mean that companies dealing with EU citizens or businesses must be compliant. The GDPR was also incorporated into UK legislation as the UK GDPR.
From my practical experience acting as a Data Protection and Cyber Security Consultant over a three-year period, it came as a big surprise to me how small a percentage of organisations were aware of their obligations under the GDPR, or data protection in general. This was despite a twenty year period of the UK’s initial Data Protection Act of 1998, which implemented the EU Data Protection Directive 1995. For the benefit of non-EU colleagues who are looking to understand the GDPR, I wish to take this opportunity to describe my own experience, both prior and subsequent to its implementation in the UK on 25 May 2018.
I am solely describing my own experience, which is purely within the UK. This exposure to GDPR within the UK ranges across a number of industries, within both the private and public sectors, their sizes varying from the micro to multi-national organisations. It is presented from a practical perspective, with some (to me at least), surprising discoveries. I will, in conclusion, briefly summarise the key elements of what a successful information governance should consist of.
In essence, the challenges of the GDPR for individual organisations depend on a number of factors. These are; type of industry, size of organisation, effectiveness of the management leadership, sophistication and integration of systems, governance maturity (having effectively reacted to the Data Protection Act of 1998) and level and depth of training and awareness undertaken. Engaging with start-ups and newer companies allows for good practice to be introduced and embedded early on whilst they are small enough to ensure effective and easily implemented change. For long-established organisations that have neglected data protection and for those with data processing that may lack integration or depend on obsolete technology, the challenge is far greater.
During my time as a Data Protection and Cyber Security Consultant, public sector organisations and those in the private sector that already operated under a heavy compliance regime, for example financial services were the most mature in terms of GDPR awareness. But this was not necessarily so when judged from a compliance perspective. This knowledge reduced further with regard to that of the smaller, independent companies.
There are three main drivers that trigger why a company engages my services as a compliance specialist. One, is in a situation where there has been a data breach and a panic arises with a sudden awareness that something has gone seriously wrong. The second is where someone has left the company and their successor inherits the role of Data Protection Officer or a less formal, but still otherwise, responsible role. The third and most prominent, is where a company is bidding for business and has been requested by the potential customer to provide evidence of both GDPR and Information Security controls. This supplier due diligence is becoming more widespread and pronounced.
In many cases, I have discovered that some organisations that had hired consultants in the run up to May 2018 to ensure compliance were rewarded with very superficial and ephemeral results. This provision consisted of simply updating policies (often templates) without undertaking any analysis of whether there had been adequate compliance with the previous Data Protection Act of 1998, upon which most of the GDPR was based. I always advise that compliance is an ongoing operational activity. It is a process, not an event. I explain that understanding the Highway Code (the rules for drivers in the UK) is not the same as knowing how to drive a car, doing so safely and being observant on the road at all times (and of course, avoiding the police and speed cameras!).
The gaping holes in companies’ knowledge were particularly exemplified with regards to data retention and disposal. I have found examples where companies have retained all of their paper records since time immemorial and then lost track of where this information is actually stored – knowing only that it is stored in some third party warehouse. One large bank I provided consultancy at simply defaulted to a retention period of 12 years for all record types, as their way of acknowledging the principle of storage limitation.
One of the major challenges for all organisations is what is known as Unstructured Electronic data. This is data held in shared network drives, on laptops, PCs, mobile phones or even in Cloud storage systems like Dropbox, One Drive and so on. This sort of data is very often stored in myriad and diverse ways with no structured classification, naming conventions or version control. Unlike databases, that have structure and validation and with easy-to-use extractable protocols, Unstructured Data is held in spreadsheets, word processed documents, emails, etc. The challenge for data protection is three-fold.
Firstly, it is difficult to identify where this data actually resides, and this creates problems in situations where Subject Access Requests are made or where disposal is required (upon meeting elapsed retention periods). The second is that information security is often amiss – for example, the lack of password protection or unsecure transmission. The third is that dissemination may result in breaches – not least, copying in the wrong data to the wrong people when using email.
The solution to providing good data protection consists of the following steps. The first is to make sure that the rules are fully understood. Then you should undertake some business analysis to understand where the organisation is in terms of its processing operations and especially where personal data is held and how it is processed. Undertaking a Gap Analysis and understanding the risks is essential. Embedding governance at all levels with training and awareness underpinning the transparency of roles and responsibilities needs to be implemented. Make sure that data protection is led from the board level. Write policies (under change management) that are disseminated and supported by procedures and training to ensure that data protection is fully understood at its most granular level. Ensure that adequate controls are in place, especially for information (cyber) security. Undertake audits to ensure that controls are sufficient, especially where incidents have taken place. Finally, make sure that change management is in place – for example, the implications of Brexit. The Information Commissioner’s Office (ICO) provides useful information for organisations in a proactive and informative manner.
Thomas Hayes is managing director at Hayes Associates Limited, who provide tailored and personal data protection and information management consulting services.
Photo by MikhailMishchenko, Canva.com