When the subject of data protection and security came up at a recent ICAEW meeting of Audit Committee chairs, it raised more interest than usual. “People round the table were scribbling notes furiously,” recalls Richard Anning, head of ICAEW’s IT Faculty.
And no wonder. The subject on the agenda was the new EU General Data Protection Regulation (GDPR), which goes live on 25 May 2018. On the face of it, that leaves plenty of time for even the largest organisation to prepare. In reality, the changes are so significant, no organisation of any size can afford to delay in getting to grips with them.
The new regulations will be of concern to smaller organisations lacking the generously staffed IT functions corporates or major accountancy practices enjoy. But there are signs some smaller and medium-sized practices are already thinking about the implications.
“This is a good opportunity to carry out a complete review of the data we hold, where it’s from and how it’s used,” says Steve Fraser, a partner at Monahans, a five-office practice with 12 partners and 140 staff, based in the south-west. “It is also a good time to think about our policies and procedures.”
Jane Berney, manager in ICAEW’s business law department
If you’re a larger organisation you need to start preparing now
GDPR could prove more of a challenge to Grow Your Business, a two-partner, six-staff firm in East Anglia. Partner Tim Vogel says the firm will rely heavily on support from its IT provider. “We have a cloud-hosted database designed for accountants. We have already spoken to the provider and they assure us that as and when the new regulations come in, their product will be compliant and allow us to identify what we need to do.”
The fact that the UK is, probably, heading for an EU exit will not make any significant difference. Even if the UK is outside the EU by 2018, home-grown organisations will still need to implement the regulation’s provisions if they offer goods or services to EU “data subjects” or monitor their behaviour.
Even so, the precise role of the GDPR if the UK is outside the EU remains unclear. It is one of a stack of issues in ministers’ in-trays now that the country has voted to leave the European Union.
The Information Commissioner’s Office has published a review of the impact on GDPR for UK companies. It explains: “Once implemented in the EU, the GDPR will be relevant for many organisations in the UK – most obviously those operating internationally. The other main reason is that the GDPR has several new features – for example, breach notification and data portability. Therefore, we thought it would still be useful to familiarise information rights professionals with the GDPR’s main principles and concepts.”
The tightening in data protection regulations comes against the background of a drip, drip, drip of worrying data breaches in recent years. Last October, for example, TalkTalk revealed that hackers had penetrated a weakness in its website to compromise customer data – 157,000 accounts were affected.
Sometimes data breaches have been the result of hacking – such as the 2014 breach that compromised 1,163,996 credit and debit card accounts at online holiday company Think W3. Sometimes they have been caused by lax handling of sensitive data – as when the Brighton & Sussex University Hospitals NHS Trust sold 232 hard drives containing sensitive patient data on eBay.
Some larger organisations may have treated the dangers of data infringement with a degree of insouciance because the direct financial penalties were limited. (The reputational damage was, of course, a different matter.) But the GDPR ushers in a fines regime that could make the CFO of even a financially healthy company blanch. For serious breaches, the maximum fine will be the greater of €20m or 4% of global turnover.
So just what new issues should organisations – including both companies and accounting practices – focus on to ensure that they are ready for GDPR? “There is a lot more focus on accountability,” says Jane Berney, manager in ICAEW’s business law department. “You have to prove you’re complying with the regulations rather just assume.”
That means policies need to be worked out formally, related to the risks in the organisation – and specifically to the security of data – and be proportional to that risk. Responsibility for the policies needs to be taken at the highest level possible, says Berney.
Jane Finlayson-Brown, a partner at law firm Allen & Overy, urges organisations to establish a framework for accountability. “Ensure that you have clear policies in place to prove that you meet the required standards,” she advises. “Establish a culture of monitoring, reviewing and assessing your data processing procedures – aiming to minimise data processing and retention of data, and building in safeguards.” Finlayson-Brown adds that organisations with risky processing activities will have to adopt auditable privacy impact assessments and take steps to address specific concerns.
GDPR changes the ground rules over consent. In the past, it has often been enough to assume that consent to hold and process personal data has been given by a pre-ticked consent box. That won’t cut the mustard under GDPR. In each case, the individual providing the data will need to give consent proactively. The GDPR strengthens a range of rights for data subjects. These include the rights to be informed, of access, to rectification, to erasure, to restrict processing, to data portability and to object.
Jane Finlayson-Brown, partner at law firm Allen & Overy
Be prepared for data subjects to exercise rights such as the right to data portability and to erasure
Organisations will need to familiarise themselves with the principles behind these rights and the degree to which they are likely to be relevant to the data subjects in their systems. For example, when a company is holding information on a data subject that may be used for marketing, the subject has a right to object – and the company must make them aware of that right.
The last few years have produced several examples where data has been compromised because of lax business practices. Sales staff at T-Mobile, for example, sold customer records to brokers who traded them to other phone service providers – a practice T-Mobile immediately halted when it was exposed. At HMRC, two CDs holding records of 25 million child benefit claimants in the UK were lost in the post.
With the principle of “privacy by design”, the GDPR is intended to make stories such as these a thing of the past. The aim is that data privacy should be designed into business services with an organisation taking appropriate steps to protect data right when it takes on a new client.
One of the biggest changes is the need to appoint a data protection officer (DPO). Public authorities will need to appoint a DPO. So will organisations that perform regular processing of large quantities of personal data or those that process a large amount of “special categories” of data.
It is not necessary for the DPO to be an IT whizz-kid, says Berney. “Ideally they should be senior enough to ensure that the regulations are followed and any shortcomings addressed as soon as possible.” Organisations should begin soon in order to meet the challenges, says Anning. “If you’re a larger organisation you need to start preparing now. There are issues such as where all the accountable data is held. It is quite surprising how many organisations don’t have all this information.”
Whatever new policies organisations choose to adopt to meet the needs of the GDPR, they must ensure they are explained clearly. “Your policies should be transparent and easily accessible,” says Finlayson-Brown. Organisations also need to be aware of the rights of data subjects, she adds.
“Be prepared for data subjects to exercise rights such as the right to data portability and to erasure,” she says. “If you store personal data, consider the legitimate grounds for its retention – it will be your burden of proof to demonstrate that your legitimate grounds override the interests of the data subjects.”
Organisations need to decide on an implementation timetable that meets their needs. Grow Your Business, which relies on its IT provider, will do nothing until the last six months, says Vogel. Monahans plans to phase in any changes. “But to a timetable that leaves us well ahead of the May 2018 date,” adds Fraser.