UK regulators: Are you setting the example for GDPR?
As if you didn’t already have enough to deal with given the Brexit-related economic and legislative uncertainty… the European General Data Protection Regulation that comes into effect in May 2018 applies to you just as it does to those you regulate. Arguably it’s even more important for you to get your house in order in time, as government expects regulators to set an example for industry.
In our experience, organisational mind-set is everything. Recognising that the regulation marks a positive change for your customers, clients or stakeholders is the starting point for making a success of it.
But there are specific issues which regulators will be all too familiar with, and which make their ability to interpret and adhere to the rules uniquely challenging. For example:
- Legacy legislation: the data that regulators require is often set out in statutory legislation based on historical assumptions. Regulators continue to request, collect and store data they don’t need to perform their activities.
- Duplication: regulatory regimes frequently evolve and new risks emerge. Regulators have to develop solutions quickly which can create duplicate data requests.
- Limitation: it’s tempting to request data to answer a very specific purpose rather than considering its wider potential for additional analysis – like asking for a percentage change rather than absolute figures, for example.
- Inefficiency: due to the speed of change and continuous pressures, it’s difficult for regulators to take the time to improve their approach to collecting, storing and analysing data. Some will be using paper forms and manual spreadsheets that create huge inefficiencies and inhibit improvements.
Most know their authority to conduct regulatory activity doesn’t give them carte blanche to collect and retain data as they please. But it’s often difficult to know exactly where and how to draw the line. GDPR makes it essential to draw that line – and quickly. As a regulator you must establish a clear position to safeguard the data of those you regulate and protect without compromising your objectives.
To help jumpstart your GDPR programme, we’ve identified the top three areas to focus on to make sure you comply.
Get specific consent and make it straightforward for people to ask you to delete their information
As a regulator, your lawful basis for collecting and retaining personal data is mostly driven by your regulatory authority. But this isn’t always true. There are categories of subject who need to give consent to process their data in the first place, like members of the general public. The requirement for specific consent means there are probably also categories of processing that will need explicit agreement, even from those whose data you otherwise have an automatic right to process.
For example, the fact that you’re entitled to collect an individual’s contact data so you can issue them a licence doesn’t mean you can use this same information to target them with a survey. The right to erasure is similarly nuanced. You need to determine if the mandate to retain an accurate historical record in the public interest trumps a person’s right to be forgotten.
Getting on top of either of these requirements means getting a comprehensive understanding of how and where your organisation currently collects, stores and manages personal data. This isn’t just about IT systems, it includes all those helpful spreadsheets different departments maintain themselves as well any routine exchanges of personal information by email. Armed with this understanding, you then need to ensure:
- You’re actively seeking consent for using personal data for reasons not covered by your legislative authority as a public body.
- You’re maintaining a ‘Single View of Customer’ across your organisation so that it’s easy to determine where specific consent has been granted and where it hasn’t.
- You’re managing the data lifecycle effectively: so you’re not retaining data for longer than necessary, and you have processes to assess and action requests to erase information.
Make data privacy integral to new products and processes
The GDPR legislation recognises that privacy is often an after-thought and so has mandated ‘privacy by design’. It’s not a new term but its enshrinement in legislation certainly is new.
Put simply, organisations must now build in data privacy in the initial design stages of any product or process implementation. As a regulator you’ll probably always have ‘in-flight’ projects that deal with personal data. If this article inspires you to do just one thing it should be to conduct a privacy impact assessment for each of them. Fortunately, when it comes to closing any privacy design gaps you identify, the legislation permits a risk-based approach. So you can consider the cost of implementation along with the wider context and the purpose of the data handling. In this sense there’s some room for manoeuvre and a number of practical ways to make sure you comply.
GDPR also introduces the term ‘privacy by default’, specifying that organisations should only process data where required to achieve their stated aims. This means only collecting the data you need to and not exposing it to more people than need to see it. To get a handle on the former you need to ensure that each item of data collected can be tied to your statutory objectives. For the latter, you need to expose personal information only to people who need to process it – including through application and database access mechanisms.
Make sure third-party data processors comply with the new rules
As a regulator you’ll probably share personal data in some form with third party organisations that process it for you. Organisations like cloud service providers, IT contractors and any data analytics or research organisations you work with. A significant shift under the GDPR legislation is that these third parties are now themselves directly obliged to comply with the legislation. But these extra responsibilities placed on data processors do little to absolve you from your obligations as the data controller.
In particular, you still need to make sure any processors you appoint have the technical and organisational mechanisms in place to comply with GDPR. And all such relationships must have a binding contract that clearly specifies the categories of data in scope, type of processing activity and time-periods. Any current contracts with data processors that don’t provide this detail will need to be amended before the May deadline.
Revising your existing contracts might be onerous in the short term, but longer-term will afford you more control. For example, under GDPR third parties can only process data in strict accordance with your documented instructions. And the legislation places tight restrictions on any use of sub-contractors, which isn’t permitted unless contractually agreed with you. Even when you grant general permission, the processor must give you advance notice each time they engage a new sub-contractor. Finally, GDPR should encourage data processors to be more helpful by requiring them to actively help you, the data controller, to meet your obligations. That includes advising you if they think anything you’re doing constitutes a breach.
Get benefits beyond compliance
Focusing on these key areas will give your GDPR programme the direction it needs to be successful. We believe you’ll see many improvements to the way you work day to day that will make it all worthwhile. Information breaches will still be an inevitable consequence of complex information systems and intricate business processes. When the worst does happen, having actively minimised its scale and impact will be critical in terms of reputation.