Industry analysis from Accesspoint Technologies: Building blocks
This article was originally featured as an industry analysis in the November 2017 issue of LPM. To read the issue in full, download LPM.
As we are perhaps all now aware, we all need to comply with the EU’s new data protection regulations by May 2018. For many law firms, GDPR doesn’t necessarily mean General Data Protection Regulation but rather it means ‘absolute panic’ and ‘extreme caution’ – since it likely adds more work to already hectic daily schedules.
Perhaps it’s the notion that legal businesses don’t fully understand what’s required from the new data rules and yet are seen by most of the populace as potentially knowledegable of the matter that’s increasing the pressure on them to do more about it. Firms may be worried that they could become an early GDPR offender or ‘victim’ and that that will destroy much of their credibility.
Many firms see the GDPR as primarily an IT issue, but that’s just not the case. It’s important to understand that it’s more about the core of your business’s working processes and the systems and policies. Common sense prevails here and, in some ways, should drive thinking about compliance with the GDPR.
When asking the question: “Where is the biggest challenge for you?” the more obvious areas where data should be protected seem to get no mention – and it would appear that the biggest concern and impact could be harvesting itself in the smaller and more detailed areas of people operations and their data handling.
Many of these areas are being buried behind systems that we have created and implemented over the years and have taken for granted, or ‘situations’ that we have encountered and sometimes adopted over the years that we haven’t really fully considered until now.
The need for the GDPR to be viewed as mechanic is long overdue – taking more time to agree and issue than first conceived by the European Commission back in 2012. The regulation was then agreed upon by the European Parliament and Council in December 2016. Without doubt it has now focused minds and attention into everyday business activities previously accepted and sometimes overlooked despite the occasional slip up.
Policing our compliance and managing the enforcement of the GDPR will take time and it could prove to be very difficult on both counts at authority and ground level, when considering the magnitude of everyday operational activities. The one thing for sure is it will have a big impact on what we do and on the thought process around how we do it.
The whole issue around data and how we collect, protect, store and select it for use is under scrutiny. New obligations from the GDPR on such matters as data subject consent, data anonymisation, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, may require companies handling EU citizens’ data to undertake major operational reviews and possible reform if deemed fit to pass new regulations.
The GDPR will offer more guidance on appropriate security standards while imposing strict obligations on nominated data processors and controllers with regard to data security. The GDPR will also introduce, for the first time, specific breach notification guidelines.
Under the GDPR, a personal data breach is considered a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. One must provide notice without undue delay and where feasible not later than 72 hours after having become aware of the breach. This is the start of self-policing, and further ensuring our willingness to comply are the financial penalties that can be very substantial – in some cases up to £20m, which could be fatal to business continuity. Such fines add pressure for us to sit up and take notice.
Data controllers and processors alike must designate a data protection officer to comply with the new regulations.
Among some of the credentials required of data protection officers is expert knowledge of data protection law and practices. The GDPR’s recitals suggest the level of expert knowledge should be determined in accordance with the data processing operations carried out and the protection required for the personal data processed by the controller or the processor. Without stating the obvious, much of this will also be just good old common sense with how we think and handle situations.
Responsibilities include: informing and advising the controller or processor and its employees of its obligations to comply with the GDPR and other data protection laws, and monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits. But they will also need to advise with regard to data protection impact assessments when required, work and co-operate with the controller’s or processor’s designated supervisory authority, and serve as the contact point for the supervisory authority on issues relating to the processing of personal data. And they will have to be available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
These responsibilities will mirror those used elsewhere from around the globe. Data protection officers have many rights in addition to their responsibilities. They may insist upon company resources to fulfill their job functions and for their own ongoing training. They must also have access to the company’s data processing personnel and operations, significant independence in the performance of their roles, and a direct reporting line to the highest management level of the company. Job security is also included – the GDPR expressly prevents dismissal or penalty of the data protection officer for performance of their tasks and places no limitation on the length of this tenure.
All of this said, most businesses have been around for a considerable amount of time – during which their everyday processes and systems have been developed with thought and care to execute the best possible solution to a problem or enable better productivity. With this in mind, it begs the question regarding GDPR: just how much do we all really need to do?