GDPR: Dumb Ways to Fail – Part 2

Employee round-table discussion
Reading Time: 5 minutes

This is part two of a series from guest blogger, Toby Stevens, describing how organisations can fail in their GDPR readiness, and how you can avoid the same failures. If you missed part one, catch up now!

4. Treat it as a one-off project

“GDPR is like Y2K – a load of running around fixing stuff, and the vendors and consultants get rich, but nothing really changes.”

Someone said that to me yet again this week, and it’s a really dumb way to fail.

Nothing could be further from the truth. Y2K was a technology remediation project to overcome a technology problem, with a hard-stop deadline. Some organisations just did the bare minimum to fix it, some used it as an opportunity to understand and overhaul their IT delivery, some stuck their heads in the sand and hoped for the best, and most got away with it in the end.

GDPR, however, is not a one-off project: it is a significant evolutionary step in data protection, and the impact it will have on your organisation depends upon the maturity of your current data protection management.

For organisations with robust and mature data protection management systems, GDPR will still require effort to ensure that risks are understood and controls and capabilities are in place.

For those with less developed data protection functions, this will require both significant remediation effort, and the creation of permanent data protection and information rights management capabilities. DPOs and data champions and information rights teams will have to be appointed to permanent roles. These organisations will find themselves paying off the data protection debt they’ve accumulated over the past 20 years as they failed to invest in their information governance but somehow got away with it.

At the end of this process, the data protection world will have changed. We’ll have more savvy data subjects with greater understanding of their new rights; we’ll be working with customers and suppliers who expect us to live up to our obligations for information governance, and enforce that through legal and technical controls; and ultimately more empowered supervisory authorities who will be able to ensure that we meet our legal obligations. This isn’t a one-off fix, it’s the transition to a new data protection model.

And that’s why viewing it as a one-off project would be a really dumb way to fail at GDPR.

5. Consent for everything

If there is one howling great misconception about GDPR that stands out above all other dumb ways to fail, it’s this:

“You need consent to process personal data.”

We’ve seen this all over LinkedIn and in various trade journals, where someone has had a quick look at the GDPR headlines and concluded that consent is mandatory for all processing. It really isn’t. The GDPR provides six different legal bases for processing personal data (excluding special categories), which include:

  1. The data subject had given consent to the processing;
  2. Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. Compliance with a legal obligation to which the controller is subject;
  4. To protect the vital interests of the data subject or of another natural person;
  5. For the performance of a task carried out in the public interest or in the official authority of the controller;
  6. For the ‘legitimate interests’ of the controller or a third party.

In practice, most organisations will only have five of these legal bases open to them: public authorities are not permitted to use ‘legitimate interests’ (more on that in another post) as a legal basis, and in many cases will not be able to use consent either; and private companies will rarely be in a position to use ‘public interest or official authority.’

Not only do we have multiple legal bases for processing, but in most circumstances consent is not the most appropriate one to use. For example, consent is almost never appropriate in the context of employment, since the employee rarely has a meaningful choice about giving consent if the alternative is to be refused employment or related benefits.

Consent is probably the last legal basis that a controller might with to rely upon for processing, since it is the hardest legal basis to achieve, and obligations to keep it current and evidenced mean that it can be the hardest to live with. But it’s also the strongest and safest legal basis once obtained, since it provides an unequivocal statement of approval for processing, and provides a foundation for trust between controller and data subject.

This issue is by no means new. Some 10 years ago, a civil servant (responsible for processing in a public authority) said this to me:

“If the processing in your new system relies on consent, then you’ve already failed.”

Maybe that’s a cynical viewpoint, but it’s a good message to keep in mind. Spend time thinking about the most appropriate legal basis for your processing; consider whether you can actually use the proposed legal basis, and what the implications are; and don’t rush into consent just because it seems an obvious choice, because a dumb way to fail at GDPR would be to assume you need consent for all processing without first considering your options.

6. Focus on the fines

What’s the one thing those vendor and conference emails that arrive almost daily, promoting their new GDPR solution, never fail to miss out on? It’s the fines. The maximum possible fine of the percentage-which-must-not-be-spoken* has become a fixation for so many organisations, and that’s a surefire dumb way to fail at GDPR.

The problem with the percentage-which-must-not-be-spoken is that it’s a threat that was set as a deterrent to those organisations engaged in wilful and negligent processing. Using it as a threat to raise boardroom awareness; as an impact to develop internal risk models; or a triage factor to prioritise your remediation, will simply result in lack of credibility with the executive, skewed risk outcomes and unrealistic risk remediation delivery, because the reality is that the ICO is unlikely to apply fines of anything like those levels. Your delivery project will simply fail to deliver what your organisation needs.

Writing in August, the Information Commissioner stated:

“it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm. The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick. Issuing fines has always been and will continue to be, a last resort.”

Not only has the Information Commissioner said that she won’t be pursuing fines as an enforcement mechanism, but to date the ICO has never used the maximum fine powers of £500,000 under the current Data Protection Act.

Does that mean it’s all fine and there’s nothing for your organisation to worry about? Sadly, no.

Imagine a very different scenario: your organisation receives a letter from the ICO, in which a data subject complains about the legitimacy of your organisation’s direct marketing activities and the effectiveness of the information rights function.

In the letter, the ICO asks you to confirm that your organisation’s marketing operation complies with the GDPR in its marketing operation. But the problem is, it doesn’t. What do you do then? Your options are to do nothing and hope it goes away; lie to the supervisory authority; or suspend your direct marketing activities whilst you fix the issues you should have fixed in the first place? Now imagine standing in front of your board asking them either to sign off a bare-faced lie, or suspend your direct marketing operation.

The hidden trick that GDPR has up its’ sleeve are the half-the-percentage-which-must-not-be-spoken fines for failure to meet controller’s obligations, enabled by Article 83. By asking for confirmation that the controller has met its’ obligations, the supervisory authority doesn’t even need to conduct an investigation to achieve both a deterrent effect and an effective punishment on controllers and processors who have yet to comply.

If you’re thinking carefully about GDPR, that’s the sort of threat you’ll be using to gain boardroom support, to build your risk models, and to prioritise remediation. It’s more realistic, it’s more proportional to your operation, and it’s much more likely to happen. And the threat of shutting down the direct marketing function just before Black Friday would be a very effective deterrent indeed for an organisation that’s been sufficiently dumb to just focus on the fines.

*If I have to tell you what the percentage is then it’s probably too late for you anyway

Check back for the final installment of GDPR fails! These posts were originally published via Toby’s LinkedIn page. Toby Stevens FBCS CITP CIPP/E CIPM is an independent privacy and data protection consultant.