Why GDPR is not Y2K

Douglas McLachlan, Anderson Strathern.

Information Commissioner Elizabeth Denham has made it clear that while enforcement is part of her remit, she prefers that “education, engagement and empowerment” comes first, adding: “Prevention is better than cure”. It is a key point in how organisations and businesses should regard GDPR compliance, said Douglas McLachlan, a Partner at Anderson Strathern.

“There is this focus on 25 May, but the reality is that many will overshoot this date. The public sector is probably the best prepared, along with regulated and larger businesses. But a significant proportion of businesses are not ready, or at least not completely ready. The Information Commissioner recognises this; that compliance is a process, not an event.

“Working with clients on compliance, we have been getting them to look at their procedures and processes and using this as an opportunity to understand what data they hold, what they are doing with it – and what’s the legal basis for that – asking themselves are they collecting too much or keeping it too long? Making sure they have the right protocols, that they have strong defences, that staff are knowledgeable and trained, and that there is good governance.”

However, McLachlan believes that the problem for organisations and businesses may come from complacency: “The reality is that the Information Commissioner is not going to be inspecting everyone from 25 May; her office simply does not have the resources.

“But the risk is that if there is not a sudden rush of news, people become complacent; looking at 25 May as a bit like Y2K, the millennium computer bug which did not cause the problems that were anticipated – as though it was a big fuss about nothing.

“And the danger is that 12 or 18 months down the line, an organisation or business may become the victim of computer hacking, or maybe an employee will just lose a paper file full of people’s personal data – both of which could be a reportable personal data breach under GDPR.

“At this stage, the Information Commissioner may investigate the organisation further and the problems for them will stem from how little they have done to mitigate against a personal data breach occurring, or how little they have done in terms of GDPR compliance overall. If they have not considered and addressed their compliance risks and do not have good policies and procedures, and strong defences, in place then they risk a high-level fine.”

Data incidents occur, but you are for more protected against the consequences if you follow best practice, invest in your IT and physical security, and invest in and train your staff – Douglas McLachlan, Anderson Strathern.

So, McLachlan has been advising clients to conduct their own audit of what data they hold and process, for what purpose, on what legal basis, and how the data are handled. That includes looking at how well protected is the data. As well as good IT security, organisations and companies need also to look at their physical structures; the external and internal security of their building, how visitors are managed, and document handling issues such as shredding.

“The human element of data security can’t be overlooked either,” said McLachlan, “by having the right vetting procedures, good training, creating a culture of confidentiality and compliance where employees should not fear reporting a data incident. And these IT and human elements combine in terms of things like password strength and vulnerability to social engineering.

“The Information Commissioner recognises that data incidents occur, but you are for more protected against the consequences if you follow best practice, invest in your IT and physical security, and invest in and train your staff.”

Accountability and security

  • Accountability is one of the data protection principles – it makes you responsible for complying with the GDPR and says that you must be able to demonstrate your compliance.
  • You need to put in place appropriate technical and organisational security measures to meet the requirements of accountability and the principle of “integrity and confidentiality” (security).
  • There are a number of measures that you can, and in some cases must, take including: adopting and implementing data protection policies; taking a ‘data protection by design and default’ approach; putting written contracts in place with organisations that process personal data on your behalf; maintaining documentation of your processing activities; implementing appropriate security measures; recording and, where necessary, reporting personal data breaches; carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests; appointing a data protection officer; and (in the future) adhering to relevant codes of conduct and signing up to certification schemes.
  • Accountability obligations are ongoing. You must review and, where necessary, update the measures you put in place.
  • If you implement a privacy management framework this can help you embed your accountability measures and create a culture of privacy across your organisation.
  • Being accountable can help you to build trust with individuals. It may also help you mitigate against any risks of enforcement action.