The final installment of the three part series from guest blogger, Toby Stevens, describing how organisations can fail in their GDPR readiness, and how you can avoid the same failures. If you missed part one, or part two of the series, catch up now!
7. Forget other laws
With all the excitement about GDPR, it’s very easy to forget that it’s just another data protection law, and that in the rush to prepare, a dumb way to fail would be to fall foul of the existing laws.
A common theme for many organisations as they prepare for GDPR is updating the legal basis for processing: where they rely on consent as a legal basis, if the existing consent is not recognised under GDPR, then it needs to be brought up to standard. For example, if an existing consent was captured using a default opt-in (e.g. a pre-ticked box); or a database has data of mixed or unknown provenance; or the decision has been taken to change the legal basis for processing (e.g. from legitimate interest to consent); then a refresh programme is going to be necessary.
However, get that consent refresh wrong and you could have all sorts of problems. Witness what happened to these companies:
- Morrisons Supermarket sent 130,671 emails asking for consent from customers who had opted out of direct marketing resulting in a fine of £10,500
- Honda Europe sent 289,790 emails to customers asking for consent when they could not demonstrate a lawful basis for processing, resulting in a fine of £13,000
- FlyBe sent 3.3 million emails asking for consent from customers who had opted out of direct marketing resulting in a fine of £70,000
- MoneySuperMarket sent 7.1 million emails asking for consent from customers who had opted out of direct marketing resulting in a fine of £80,000
There’s a pattern forming there. Many of those organisations would have been busy sorting out the consent status on their direct marketing databases ready for next year. If the legal basis for processing is unclear, or the data subjects have opted out of processing, then your consent refresh could land you in hot water, and in each case the applicable legislation isn’t GDPR or even the Data Protection Act, it’s the Privacy and Electronic Communication Regulations (PECR).* Those organisations fell foul of PECR in their efforts to comply with GDPR.
And those fines are just the tip of the iceberg. In all likelihood the organisations’ abilities to use those marketing databases would have been severely impaired thereafter as a result of the Information Commissioner’s enforcement actions. In the worst case, they might have had to delete the databases completely, and that would be the real impact.
So if you’re busy refreshing consent for the use of personal data, don’t be dumb: remember that you’re already subject to data protection laws, and comply with them.
* Pro tip: if you’re worried about PECR when handling a marketing database, remember that it only applies to electronic communications (phone and email**). Using postal channels to reconsent is neither cheap nor necessarily as effective, but it might simplify your legal risk profile.
** Technically, PECR also covers facsimile machines, but unless you wish to market to someone in the 1980s you’ll probably be fine there.
8. Treat May 2018 as a deadline
For the early years of this millennium, doomsday crackpots predicted that the world would end in 2012, as prophesised by the Mayan calendar.
For the past two years, that role has been taken on by vendors and consultants who have foreseen the apocalypse on 25th May 2018 when the GDPR is enforced. Supervisory Authority Enforcement Agents will kick down the door of each and every company, charity or public authority that is in possession of so much as a phone book, and their Data Protection Officers will be dragged off to Wilmslow to face punitive fines or fall down the ICO’s stairs.
We’ve already talked about the reality of fines, so if the percentage-which-must-not-be-spoken isn’t going to universally applied, then what will actually happen?
In August, Information Commissioner Elizabeth Denham wrote:
“The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”
The ICO will doubtless work to enforce the new law and uphold information rights, but we won’t see a sudden rush of punitive enforcement actions.
The GDPR is an evolution of current data protection laws, so think about what changes on 25th May 2018. There is no visit from GDPR auditors that day to award or revoke a certificate. There is no industry-regulated cut-off that will result in your systems being shut down. GDPR readiness is not a one-off project, but a move to a new way of working with personal data.
What changes is an evolution in your organisation’s processing risk profile. You are exposed to some fresh risks, and the potential impacts of those risks increase significantly. If you’ve built your delivery around a risk-based approach, and ensured that the change in risks is reflected in the executive risk reporting, then you’ve acknowledged that there is no such thing as ‘GDPR compliance,’ just GDPR readiness, and your risk model can accommodate the change. Yes, those risks might come to pass. But in the meantime business goes on, and your organisation can continue to make rational and correctly-prioritised operational choices, based on an understanding of operational risk and an appropriate prioritisation against other commercial needs.
25th May 2018 remains a big deal, but for your project it should be just a risk milestone, rather than the end of the world. The apocalypse will have to wait for the next doomsday prophecy***.
***Which might actually be the ePrivacy Regulation.
Check back for the final installment of GDPR fails! These posts were originally published via Toby’s LinkedIn page. Toby Stevens FBCS CITP CIPP/E CIPM is an independent privacy and data protection consultant.