Today marks the four month countdown to the General Data Protection Regulation deadline of 25 May. In his latest blog, Dean Armstrong QC breaks down the five myths of GDPR that organisations need to dispel as they put final plans in place to deal with the new world of data protection.
Myth number one: There is a definitive answer to GDPR.
GDPR is a principle based regulation as opposed to a rule based regulation. The point about rule based regulations is that it is possible for there to be a definitive answer. There is little need for interpretation.
A good analogy is that if you are driving at 35-mph in an area with a 30-mph speed limit, you are breaking the rules. GDPR is not like that. It deals in ensuring that data are processed in accordance with designated principles, for example has effective consent been obtained; are the data held current or has data been anonymised where possible?
These are matters of interpretation, such interpretation in the case of an investigation would be made by the ICO, which will take a legally based assessment. As such, specialist legal advice is needed to advise on interpretation.
Myth Number two: GDPR only affects the compliance department.
The Regulation has at its heart, the sanctity of personal data. It is about so much more than processes under the ownership of the compliance department. It is a root and branch change in terms of how an organisation uses, manages and protects data.
Personal data belongs to individuals and this Regulation enshrines the concept that the organisations are mere custodians of this precious commodity, and, much as you would expect from someone who has access to your prized possession, care must be taken in looking after it and using it for its prescribed purpose. Therefore, it is a whole business issue which impacts on the overall health of an organisation.
Myth number three: GDPR is all about the data hack.
Everyone assumes that GDPR is there to cater for the extreme scenario of a hack. This Regulation also imposes its most draconian sanctions for a host of other breaches, for example, if consent has not been properly obtained or data are not processed in accordance with the principles set down in Article 5.
The reason for this is clear. It is about a holistic approach to the treatment of personal data and whilst there are areas which are of greater significance than others, do not be lured into the false impression that piecemeal compliance, Article by Article, will do. Compliance by design and by default is the mantra of the Regulation.
Myth number four: GDPR is easily dealt with by buying technology.
It is superficially attractive to purchase a “solution” by buying technology. There are a number of vendors who appear to suggest that there is a “silver bullet”, a panacea to cure all ills. There is not. A simple example will suffice. As of 25 May, the governing Regulation will, save in a few limited circumstances, forbid the reliance on automated decision making.
For example, there will have to be a human element to consider the decision whether or not to offer a mortgage or other financial product, based on an automated credit score. Just simply saying “the computer says no” will no longer be an option. How is technology meant to thoroughly deal with that issue? The very essence of the need for human determination, and the power if necessary to reverse the decision, shows that a purely technological approach can never be adequate.
The other issue which can never be ignored is that fact that technological solutions cannot always cater for human error which, as is well known is the most common cause of data breaches. That is not to say that technology has no part to play. It requires collaboration. Technology is the handmaiden of bespoke expert advice in this area.
Myth number five:The fines for GDPR are just a cost of doing business.
The fines are on a scale not seen before. Up to 4% of worldwide turnover or €20m whichever is the greater. That is only part of the story. Add in reputational damage; effect on share price; possibility of class actions, qualification of accounts as well as loss of customer and supplier confidence and it is easy to see that the fines are only the beginning of the problem.
As a final reminder for all those responsible for data in an organisation, as mentioned at the beginning, GDPR is a legally enforceable Regulation which will be tested and administered judicially. Its challenges will be met by specialist business, technological and legal advice. Any temptation to seek to cut corners on compliance is likely to result in serious and irreparable damage to the organisations that chose this path.
To discuss how your organisation can ready itself for GDPR, get in touch with Dean Armstrong QC, Consultant Barrister at Setfords Solicitors and author of Cyber Security: Law and Practice.
A version of this blog originally appeared on UK Security Expo.