Posted on Wed 6th Jun 2018 at 6:19pm
Lee Holloway, Operational Risk Specialist takes on GDPR and the reality of what companies need to be doing to be compliant
Firstly I have to credit the Beatles inspired title of this piece to Stewart Twynham, a 25 year cyber security expert who's a veteran of both the 1984 and 1998 Data Protection Acts and recently appeared on STV's Scotland Tonight to discuss the new GDPR legislation and who, along with the event industry's own Hellen Beveridge, has been an ally in recent social media forums seeking to look at GDPR - and sister legislation PECR - holistically and pragmatically. There has been so much narrative focused on just one part or another of GDPR without context to other elements of the legislation that its easy to see why there's been so much uncertainty.
But I'll be clear from the outset, as I have tried to be with everyone I've worked with on this, including the Showlite team who have done a huge amount of work - I'm no more an "expert" than anyone else can claim to be at this moment in time without seeing how in the future the ICO engages with organisations - how it penalises and how it offers support. It's also not possible to be an expert until we see how the civil court system responds and how that will work with insurance and so on. All I can claim is that my interpretation of the legislation itself and the extensive guidance available is completely independent; I have no commercial angle, no product to sell, no approach to marketing that might benefit from an emphasis on any one aspect of the legislation. I do have a chartered/degree level background in a legal/risk management based discipline plus a diploma in para-legal studies and a 1986 most improved player of the year trophy - but despite all that - and the trophy was well-earned, I was utterly useless to start with - I'm just as likely to be proven wrong in court on a GDPR interpretation as the next guy. But...
For me - here are some important elements of GDPR that have not all necessarily been given sufficient coverage or attention in my opinion:
Most of it is not new:
The majority of GDPR is already law under the existing Data Protection Act.
Documentation is the main "new" bit
Keeping a paper trail of (a) what personal data you process, (b) under what lawful bases you process the data (c) how you assess "legitimate interest", (d) how you evaluate security risk in a DPIA and how you communicate what you're doing in Privacy Statements or Notices - these are key changes that GDPR brings in - think of it as doing health and safety policies, risk assessments and method statements but for data.
Consent is tougher but it's not the only way
Commentators have rightly spotted that if you use "consent" as your lawful basis for processing data for marketing then there is now a more prescriptive method required for this - people have to opt-in (ie not, not opt-out), and the process for this has to be clear, not hidden in terms and conditions and be as granular as possible, not "grouping" options. But - the legislation clearly states that if it can be supported by a robust assessment then "Legitimate Interest" can be used as a justification for marketing activity in a B2B scenario. This is because of the way the PECR currently differentiates between B2C and B2B. So before you throw away your B2B prospect lists or try to qualify them through consent, you may want to reconsider - you might be able to justify this under Legitimate Interest.
And although you cannot take a client's decision to purchase from you as "consent" to send them marketing materials - if they are a B2B client then the legitimate interest basis is again worth considering.
If you don't send marketing materials to clients at all then definitely don't ask them to opt into anything - you can keep their records on file (securely still) under the lawful basis of "Contract".
GDPR v Data Security
Not surprisingly there are many technology providers selling "GDPR compliant" solutions - but its important to remember (a) GDPR and data security are at least as much about procedure and employee discipline as they are about technology and (b) GDPR and the ICO are not prescriptive about data security so don't be persuaded with anyone saying "data has to be encrypted", or "you can't use spreadsheets anymore" or "Dropbox is not GDPR compliant" - these are similar statements to "you can't use ladders" in health and safety. You can use ladders if they're suitable for the task which in some cases they will be and in others they won't - and if you do use them there are certain precautions you should take and procedures you should follow. Exactly the same as data security. It's risk based.
Privacy Statements should be succinct
They need to be fit for purpose - and they need to be easy to understand by the data subject. For me, a few pages of good, relevant, plain English explanation is more likely to be looked favourably on by the ICO than a 20 page generic document that's impenetrable to anyone without a law degree.
Effort should be ongoing
Showlite as a perfect example has set up a quarterly working group that will continuously review and improve its data (and other operational) arrangements on a permanent basis. This is exactly what the ICO is looking for. The regulator has already been quoted as saying it does not expect perfection from any organisation in relation to GDPR, but a genuine acknowledgement of and respect for the new legislation and a credible effort to comply and work towards better compliance. This long term approach recognises that data security is always a work in progress and that technological options (and threats) will continue to develop over time.
Showlite's clients at least can sleep well at night in the knowledge that the business has scrutinised the GDPR and PECR legislation over many months and will continue to work hard to ensure personal data is given suitable resource and attention alongside health and safety, sustainability and other operational risk.