Perspectives

Privacy matters from either end of the binoculars

By Dominic Fisher

Standing up for the little guy

Have you ever had concerns about the data a company holds on you, how they got hold of it in the first place or even whether it’s accurate? If you have, you’re not alone. Recent surveys reveal widespread worries amongst consumers about how their private data is used by businesses and, indeed, the security of such information. Personal details can affect everything from whether you secure a job, to how much you pay for insurance, to what advertisements come up when you log into your social media accounts.

Although certain data privacy rights are already enshrined under Malta’s Data Protection Act of 2001, a new EU law, which will become effective in May 2018, will tip the balance of power further in favour of the individual. The General Data Protection Regulation (GDPR) is intended to restore trust in public and private bodies and enhance personal data privacy rights. Without attempting to distil the 55,000-word text into a short article, the various new and clarified privacy rights amount to us having far greater control over what information is collected on us and how it is used.

One important change is the type of consent that organisations will require to collect and use our personal data. Pages of small print or unticked boxes will no longer suffice, as consent requests should be clear and consent given should be specific and explicit.

Given that the personal data already held on you at the point when the law goes live has the same consent requirements, you can expect a lot of communication from organisations that already hold your details to obtain suitable consent.

Another interesting development involves your right to know what personal data is held on you by organisations and to have such data erased (subject to some obvious caveats). In situations where highly personal data has been lost or shared with unauthorised parties you are also entitled to be informed.

Responsible data processing

Isaac Newton stated that ‘for every action, there is an equal and opposite reaction’. Applied to our situation, the flipside of the increased consumer rights mentioned above are significantly increased corporate responsibilities. If a customer, employee or service user has the right to know what data you hold on them, your organisation had better know what data you have, where it is located and how to compile it quickly and without too much expense.

Some of the 80 specific new requirements emanating from this legislation also include IT Security obligations. The WannaCry virus, which has been hitting the headlines is an interesting one to consider in the context of GDPR. Whilst it is clearly a sophisticated and dangerous attack, many organisations appear to have been infected due to some pretty basic security weaknesses. Under the GDPR, organisations holding personal data which may have been compromised by a hack or a virus would have just 72 hours to report breaches of this type to the regulator.

Before GDPR, some companies and public bodies perceived the costs of non-compliance with Data Protection laws as tolerable. By comparison, the GDPR has teeth. Particularly eye-catching are the potential size of fines, which can reach the greater of €20m or 4% of global turnover. Given that the regulation is intended to harmonise the EU playing field, there is little scope for an individual EU member state’s Data Protection Authority to take a lenient approach around sanctions. In addition to fines, the new law makes it much easier for consumers to obtain damages from non-compliant organisations.

In summary, it’s clear that those public and private bodies that fail to take a proper interest in privacy may find themselves experiencing some seriously negative consequences.

Approaching a GDPR project

Whilst compliance with the GDPR is no small undertaking, it’s important to appreciate that the regulation merely transforms good business practices into formal requirements, albeit with a big stick to encourage compliance.

Given the tight regulatory timetable, stakeholder awareness initiatives and gap assessment exercises should be at a fairly advanced stage by now. A data inventory, preferably supported by data process flow schematics, is also a critical element to ensure that your plans are comprehensive. Legal, Compliance and IT departments will all need to be involved in designing suitable policies, procedures, systems and measures to support compliance.

Undoubtedly, GDPR projects are likely to be supported by bespoke tools and templates, but it is doubtful that suitably tailored solutions will jump out of a box. Successful GDPR projects will likely have the following features:

  • Link to business goals – In planning these projects you are likely to be surprised how much personal data is held across the organisation. Rather than applying GDPR rules to what you have in a mechanistic fashion, a smarter approach involves first understanding what personal data is actually needed to achieve organisational objectives, focusing on this data and disposing of the rest. A project that places strategy at its heart is more likely to engage management and create joined up thinking.
  • Cultural transformation - Bearing in mind that privacy processes are only as strong as their weakest links, a challenge that many organisations will face is to go beyond ticking the boxes to transform the organisational culture in favour of personal privacy. A recognition of the cultural risks and a plan to tackle them is crucial.

You may have noticed that the above elements require a credible project team. Make sure that the individuals assigned to your GDPR project have the credentials and gravitas that this important legislation demands.

Did you find this useful?