GDPR: Dumb Ways to Fail – Part 1

Employee round-table discussion
Reading Time: 4 minutes

Most blogs, and information that we see at the moment are, quite rightly, focused on how you should prepare for the GDPR considering how little time there is before the new regulations come into force. However, as always, there are always two sides to look at things. Over the next few weeks we are bringing to you a blog series, by guest blogger Toby Stevens looking at, exactly as the title says, the dumb ways to fail in GDPR readiness. So off we go…

With approximately 121 working days to go until the General Data Protection Regulation is enforceable, I’m still shocked at how many myths, misconceptions and just plain stupid ideas still surround GDPR. I’ll be sharing some of those failures to help your organisation to avoid them.

1. Assume it doesn’t apply

Even now, there are organisations in the EU, or processing personal data about EU residents who think they’re somehow exempt from the GDPR (let’s leave the subtleties of the Law Enforcement Directive and how it changes applicability for affected bodies out of this). At the event there was a question about whether charities might get some sort of special treatment when it comes to fines.

Applicability – and its extra-territorial quality under GDPR – is very clearly described in Article 3. In summary, if your organisation – whether public sector, private sector, third sector or anything else – is:

  • established in the EU (regardless of where processing takes place);
  • processing personal data about data subjects in the EU;
  • offering goods or services to EU data subjects (even if payment is not taken);
  • monitoring the online behaviour of EU data subjects; or
  • established in a territory where EU law applies;

then the GDPR applies to some or all of your processing. For UK organisations it will apply for the 10 months before Brexit happens, and it will still apply to their processing of EU residents’ personal data after Brexit happens, and the new UK Data Protection Act should enshrine the same GDPR principles into UK law after that time.

If you’re unsure about applicability, then you need to answer that question very soon indeed, otherwise you’ve failed by not starting at all.

2. Assume it doesn’t apply

At the heart of GDPR delivery is accountability. It’s embedded in the GDPR and is critical to organisational readiness: ignore it and you’re sure to fail. It is not to be confused with responsibility, accountability is assigned by circumstance rather than management process, and it cannot be delegated or mitigated.

To quote Information Commissioner Elizabeth Denham in January this year:

“I want to explain how accountability is at the centre of all of this: of getting it right today, getting it right in May 2018, and getting it right beyond that… The GDPR mandates organisations to put into place comprehensive but proportionate governance measures… It means a change to the culture of an organisation. That isn’t an easy thing to do, and it’s certainly true that accountability cannot be bolted on: it needs to be a part of the company’s overall systems approach to how it manages and processes personal data.”

To accept accountability, your organisation needs to set the tone for GDPR delivery from the very top, and ensure that accountability runs through the management like a stick of rock. It’s mandated in Article 5.2, so there’s no getting away from it.

Accepting accountability is your organisation’s greatest delivery asset because it will ensure that everyone in your organisation understands their role in delivering GDPR and protecting data, and acts accordingly. Each business unit must recognise their accountability, and take responsibility for their own delivery of GDPR readiness. If you treat data protection and GDPR as issues that can be tucked away somewhere in an arm’s length delivery team, then you are guaranteed to fail. The business needs to own the issue.

Accountability is also your organisation’s greatest protection if you are subject to a complaint or investigation. If your controls aren’t up to scratch, or you’ve maybe made some poor decisions about your GDPR delivery, but you can demonstrate that you have accepted accountability for GDPR, and committed appropriate resources; then that will be a significant mitigation in your favour. Specifically, you need to:

  • Set the tone from the top through a board-level (or equivalent) policy that assigns the priority, resources and budgets for GDPR delivery;
  • Ensure that each member of the board understands their accountability for delivery and acts accordingly;
  • Check that responsibilities have been suitably assigned and that the individuals tasked with delivery have been empowered to do so.

Accountability costs nothing and is the most effective tool you have available to you, and the most certain way to fail at GDPR delivery is to ignore it.

3. Don’t start yet

This Dumb Way to Fail at GDPR is short and simple: If you want to fail at GDPR, then be sure not to start your preparations yet.

How many days are there until the GDPR is enforceable? The new legislation was adopted on 27th April 2016, and will be enforceable from 25th May 2018. That’s (give or take a bit) 126 working days from now. We’re three-quarters of the way through the allotted time to prepare for GDPR, and organisations need to be ready then. That’s not the start date for preparation, it’s the start date for enforcement. Supervisory authorities won’t be interested in mitigating arguments that “we didn’t know about it,” or “we didn’t have enough time” (although we’ll talk about those in a future piece). If you want to be ready, you need to be working on it now (or better still, get a time machine and start 18 months ago).

If all that sounds a bit daunting, then take comfort that 25th May 2018 is a Friday, so hopefully you can have a bit of a lie down for a couple of days before you have to work out how to live in a GDPR world on Monday 28th May.

Check back next week for the next 3 GDPR fails! These posts were originally published via Toby’s LinkedIn page. Toby Stevens FBCS CITP CIPP/E CIPM is an independent privacy and data protection consultant.