Thanks to the EU’s new data protection law, the GDPR, companies are having to change the way data is handled. Since the law came into force in January, there has been a stepping up in efforts to achieve compliance, which will necessitate discussions between many departments: IT, marketing, sales, finance and senior management.
Even though we have just under two years until GDPR is enforced, it could easily take that long to achieve consensus, budgetary approval and then implement the necessary tools and procedural changes to assure compliance.
Preparations in an uncertain world
Many observers, myself included, have for some time advocated undertaking a review of current practices as a first step to complying with the new rules. Giving yourself a slow, steady run-up to a change as potentially significant as the GDPR makes good sense. Right? Well, just when you thought it was safe to start planning, another potential scenario has emerged. The EU referendum in June now looms large and in the event that the UK leaves the EU, the road to compliance no longer seems clear.
Brexit illustrates the need to approach data protection compliance with a touch that is both light and firm. What do I mean by this? Light because all the underlying tools, infrastructure and policies regarding data handling need to be flexible enough to accommodate multiple scenarios – including ones we haven’t come across yet. Firm because the functions and auditing mechanisms need to be rigorous enough to secure compliance. We have a mantra at Ipswitch: if you can’t track it, it isn’t secure.
The referendum is three months away and the outcome is too uncertain to call right now. Businesses will be considering their position in the event of Brexit, including how the different outcomes will affect current GDPR and other legislation affecting data protection, e.g. the Investigatory Powers Bill (Snoopers’ Charter) currently going through Parliament.
If the UK remains in the EU, the GDPR will apply. If the UK leaves the EU, it’s questionable if the UK would want to adopt a data protection regime that’s considerably more onerous than the current one. Recalling the UK’s opposition to some of the more stringent measures proposed by the GDPR, experts have inferred that the UK would be more likely to adopt something akin to the data protection law currently in place.
Data transfer deal or no deal
The precise figures fluctuate, but a ballpark percentage of UK exports that are bound for the EU is 40 per cent. In other words, businesses will need to find a way of continuing to do business with the EU. Similarly, they will still need to transfer personal data to and from the EU. In the event of leaving the EU, the UK would need to ensure that data was being afforded “adequate protection”, and that would need to be agreed in a separate deal.
Talk of a separate deal recalls the uncertainty and protracted negotiations surrounding Safe Harbour, according to Emily Taylor, associate fellow in International Security at Chatham House. She has warned that the combination of a new data transfer agreement in the manner of Safe Harbour, combined with the Investigatory Powers Bill (Snoopers’ Charter) could jeopardise data sharing between the UK and EU, with severe economic impact.
It’s worth noting that this view is not universal. A number of other commentators accept a new deal would be required but that a precedent has already been set by the likes of Switzerland and Canada. Law firm Simmons & Simmons sounds altogether more sanguine, “If the UK retained a similar model for data protection as currently in place under the DPA, it is likely that the UK would apply to the Commission requesting that it be determined as a country providing an “adequate level of protection” for personal data… in which case, transfers of personal data from the EU to the UK could continue to flow as they do now.”
GDPR Compliance No Matter What
Pragmatists might argue that even if the UK is not signed up to the GDPR, it’s likely to need to adhere to something very similar in order to continue to transfer data between the EU. The DMA, the organisation representing the direct marketing industry, is very clear on this point and urges companies, “the referendum is not a reason to delay plans to understand and become compliant with the GPDR.”
Senior management may disagree with this view when facing increased spending as a direct result of the GDPR. Ipswitch’s own survey last autumn into GDPR preparations revealed that more than three quarters of UK companies say that keeping up with data protection regulatory requirements will cost them financially. This is likely to include investing in new tools and technologies as well as setting aside training budget to help staff understand the new systems.
Any IT professionals tempted to stall GDPR preparations until after referendum should bear in mind that the GDPR is focused on protecting the personal data of EU citizens, no matter where that data resides. The compliance requirements will not go away and it is advisable to maintain momentum.
Practicable next steps
Data flows are fundamental to the GDPR. Data is at its most vulnerable when in transit and moving data securely and reliably will come under the spotlight with the possibility of Brexit. Understanding your file transfer policies is going to be critical to success. Managing the transfer and storage of all files between customers, employees, partners, business systems etc can be daunting. One technology that can help is managed file transfer, making data accessible and giving the IT department complete control and visibility.
There are a number of other GDPR requirements you should be thinking about right now:
Sign-up procedures and configuration settings will need to be re-designed in line with the requirement for explicit consent.
- Profiling Users
Individuals can object to the use of personal data for profiling, especially as used in direct marketing. Tracking users on different systems requires you to get clear and unambiguous consent and describe every step: where, how and what data is stored.
- The Right to Be Forgotten
To fulfill this requirement, it’s critical to design your system so that users can review data, request rectification or withdraw earlier given consent.
- Data Portability
The easiest way to enable individuals to port their personal data from one service provider to another will probably involve common used standards and ensuring services are accessible from a well-designed API — one that may even allow downloads in a common format, like XML.
- Redesign Systems With Privacy and Encryption by Design
Pseudonymisation is the new buzz word: a privacy-enhancing technique ensuring non-attribution. This means data needed for attribution (such as for logging into the system) is not stored together with transaction data (the actual actions performed by your users), which highly reduces the risk of harm for data subjects.
The regulation requires you to report data breaches if the data has not been strongly encrypted within 72 hours of discovery.
Michael Hack, SVP of EMEA Operations at Ipswitch
Image source: Shutterstock/Maksim Kabakou