There’s a very good chance that the ‘C’ word is used regularly by organisations in conversations relating to the General Data Protection Regulation or GDPR. That’s not the C word that I have in mind however.
I’m interested in ‘Compliance’.
Understandably, everybody wants to know what they need to do to be compliant. In truth, no one can be 100% certain. Those of us in the industry know the big picture and we can help organisations prepare for the key requirements. GDPR is about transparency and accountability. This includes knowing and recording the personal data you process and ensuring your processing activities are lawful and meet the requirements of the data protection principles outlined at Article 5.
You need to demonstrate accountability on an ongoing basis to ensure that data protection is not a ‘comply and forget’ process. You have to understand the risks to rights and freedoms of data subjects associated with your processing activities and apply suitable risk treatments to minimise the risks and maybe even terminate the processing activity. This may include undertaking a formal data protection impact assessment or privacy impact assessment (PIA) as they are commonly known.
You also have specific controller and processor obligations and must ensure that you provide data subjects with the required privacy information and are able to facilitate the exercise of their enhanced and new data subject rights.
There is more I could list and much we can help you prepare for, but 100% compliance we can’t advise on at this time. This is because the Data Protection Bill in the UK has yet to be published. Information law expert Dr Chris Pounder in his ever-excellent blog (I don’t know Chris personally but enjoy his writing) reports that DCMS aims to publish the Bill in September. At that time, we’ll start to get a better understanding of the detailed provisions of what we can assume will be the Data Protection Act 2018.
Whilst the GDPR is a regulation and regulations don’t need to be transposed into national law in the same way that EU directives do (they have direct effect), it is common for member states to pass legislation covering the consequential matters arising from the regulation coming in to force. This includes dealing with the derogations and the other matters which the GDPR has left to member state determination. We are therefore looking forward to seeing the Bill once published.
There are other considerations also. There is still guidance to come from the Article 29 Working Party (WP29). This guidance will help us to interpret key elements of the regulation and will also help inform guidance from the ICO. So far, WP29 has provided guidance on data portability, DPOs and identifying a lead supervisory authority. It has indicated that it plans to release guidance on the following topics this year:
- Administrative fines
- High risk processing and DPIAs
- Notification of personal data breaches
- Tools for international transfers
I think you would agree, that these topics include key considerations in respect of what it will take to be ‘compliant’. Finally, we clearly don’t have any ICO enforcement actions or case law upon which to base our expectations of what it will take to be compliant.
So, we can help you prepare for GDPR and we can support your compliance preparations based on the information available. But what it takes to be 100% compliant is still not fully known by anyone.
The period between now and 25th May 2018 is very clearly going to be busy, especially for the data protection geeks among us!
Author: Sean Huggett
Sean is an information governance consultant and also a co-founder of Cybercrowd. He specialises in data protection, GDPR readiness, ISO27001 implementation and information security. Sean is legally qualified, having been called to the Bar in 1998, and retains a keen interest in the legal aspects of data protection and information security.