I fully get that compliance in general, let alone, data protection or GDPR, is not on the top of most peoples “interesting things to know about” list, but at a recent Dorset Chamber lunch (which I co-sponsored) I used “sexy” as a word to describe GDPR, asking the audience “is it just me that thinks GDPR is interesting and sexy?” – judging by the laughter, I guess, in that room at least, it probably is!
Certainly “sexy” and “GDPR” aren’t words you’d expect to find in the same sentence, and just to clarify I meant sexy in its informal or slang form, meaning awesome or interesting…
I stand by my use of the word, and here’s why.
On the face of it GDPR is pretty black and white: you can do this… with personal data; you can’t do this… with personal data; make sure you allow data subjects to do this… with their personal data. The regulation, and the UK’s Data Protection Act 2018 which also implements aspects of it, are after all a set of rules set out in law, but where it gets interesting (or “sexy”) is the individual application of those rules to the varying types of scenarios or organisations when personal data is being processed: that’s a real challenge for anyone, and that’s what I love about GDPR and privacy law.
So, by way of example, let’s consider the GDPR rules that apply to data breaches. The GDPR says:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.” (GDPR, Article 33(1) “Notification of a personal data breach to the supervisory authority”)
That seems pretty black and white: so, in the UK, if you suffer a personal data breach you have 72 hours, once aware of it, to decide whether you need to tell the ICO (the Information Commissioner’s Office is the UK’s “supervisory authority”) because there is a risk to the data subjects. But, there’s more to it than that: for example, what constitutes a “risk” to the data subjects that would require you to report it to the ICO?
If you then look at the guidance that’s available about what constitutes risk, then that may be physical harm to the data subject, financial harm, mental distress and so on, and the level of harm will depend on the context of the processing. The breach of some names and emails from a manufacturing company selling widgets will be a different harm, than the breach of some email and names relating to attendees at a sexual health clinic, for example.
And this is where, as a data protection specialist, it gets interesting. It’s not just about interpreting what the rules say – yes you need to understand the rules, but you also need to understand the context of the processing, think hard about how the data subjects may be affected by the breach, about the implications for the data controller (the organisation who is processing the data), of what notifying the ICO will mean, let alone dealing with the ICO when they decide it needs investigating.
So, on the face of it the GDPR is a set of dos and don’ts but there’s much more to it than that, whether you see compliance as a nuisance or just EU red-tape, and for lots of people that’s what makes it dull – they may never need to worry about dealing with the ICO, or they may never face a data breach, but just thinking about what constitutes a personal data breach in itself is much more complex than someone stealing your data which is what makes it challenging, interesting, awesome and sexy!
Furthermore, the rules or their interpretation don’t stand still. Every time the ICO deals with a breach of the law, it considers what it believes is the right interpretation of these rules, so buried within the enforcement notices are little helpful nuggets to help you understand how you should be interpreting specific aspects of the regulations and those nuggets may be about specific elements of data protection (e.g. what the security principle really means in practice) or they mean how a particular sector or industry should be implementing those rules. Ever since the ICO started enforcing data protection back in the 1980s their guidance notes, codes of practice and enforcement notices are littered with helpful insight into just how compliant you need to be.
At the same Dorset Chamber lunch, where I said data protection was sexy, I asked the attendees if they’d heard about the ICO’s intentions to fine British Airways £183m and everyone put their hand up; I asked about the £99m Marriott fine and again most put their hand up, but when I asked if they had heard about the £80,000 fine of an estate agent the week before, only 1 or 2 of the audience (of about 70 people) had heard about it. And herein, lies the problem – with the world of data compliance constantly changing from interpretation to case precedent (e.g. a court case or the ICO’s enforcement notices) how do you know you’re up to date and not missing any of those important nuggets of compliance information whether the “offenders” are in your market sector or not? Particularly if you’re relying on the mainstream media to keep you updated and informed!
The irony of the BA and Marriot cases are they are just intentions to fine, not actual fines and therefore we’ve not seen the enforcement notices with all the interesting detail, unlike the estate agent case where we have plenty of information. There’s still useful information to be taken from these big cases: the BA fine appears to be about 1.5% of turnover, so does this mean the ICO are looking at this a fining benchmark? The Marriott case relates to a company they acquired that had insecurities and the ICO have criticised the due diligence procedures during the acquisition as not being adequate, so evidence you could be liable even for a past event you had nothing to do with…
In the estate agent case, basically, they’d left personal data records on an insecure server for two years and didn’t notice they had until a “hacker” told them he had their records and would go public if they didn’t pay a ransom. The ICO makes it clear that this is a breach of the security principle in data protection, but sets out that there was no evidence the estate agent carried out penetration tests or monitored access logs for the server, which would have highlighted unauthorised access or the weakness in access security. Do you check the access logs for your systems? Penetration test all the places where you store your data? And if you’re thinking that’s OK we use third-parties to store our data (e.g. cloud services), how are you sure they have appropriate security in place to protect your data and how do you demonstrate you know they’re secure? – you’d still be liable if they’re not…
So, these ICO cases, are interesting too, not least of all because of the nuggets of information buried within their investigations giving away the actions you should be considering, to make sure you meet the ICO standard of compliance.
So, what should you be doing? You can rely on mainstream media to report the high-profile cases, but you’re not likely to relate to them – you probably aren’t the size of BA or Marriott and the reports will focus on the size of the fine, not the substance. You might, however, be nearer the business size of the estate agent but they never make the news (outside data protection experts), so how do you know what you need to worry about and how are you keeping up to date?
Whether it’s enforcement notices and their interpretation of the law or new guidance from the ICO, from the EU regulators or wider afield, you have no choice but to pay attention to all sources of enforcement and best practice. That means, reading ICO guides (when they update them) and enforcement notices, or spotting that the EU has published specific guidance on a GDPR topic. And, if you’re not finding data protection interesting or sexy then it’s unlikely, you’ll be interested in keeping track of all of this – you’ve got a business to run, after all!
That’s where services like my Digital Compliance Hub come in – we track changes in interpretation, updates to guidance and look further afield that the BBC, Sunday Times, or other mass media outlets; we keep an eye not just on the ICO, but the European Data Protection Board and what the other EU “ICOs” are doing and we make sure our customers are up to date and maintaining their compliance. But that’s not all – we’re on call to help you when you need it most, so when that data breach happens, or you face a GDPR challenge from a client, or are contacted by the ICO, you get independent help tailored to you and your circumstances at that time. Check us out here: https://digitalcompliancehub.co.uk or get in touch (in the comments) if you’d like a free trial.
And that’s why data protection and GDPR is sexy!