GDPR: 5 Myths
February 19, 2018
In her second article in the series on GDPR Naureen Shariff speaks with Sam Thomas, barrister at 2 Bedford Row & co-author of Cyber Security: Law and Practice.
Naureen: Sam, there are just under 4 months till the General Data Protection Regulations (GDPR) will apply at the end of May 2018. We know that there is a lot of hype out there enticing businesses to buy into a product which will ‘solve all GDPR issues’. Now you and I know that this is not the case.
Sam: Exactly. My Co-author, Dean Armstrong QC, and I believe that there are five basic myths that surround the General Data Protection Regulation (GDPR). People believe that: (i) there is a definitive answer to GDPR; (ii) GDPR only affects compliance departments; (iii) GDPR is concerned with data hacking; (iv) technology will solve any concerns in relation to GDPR; and (v) the fine for breaching GDPR are just part of the costs of doing business. All of these assumptions are false.
Q: Is there a one size fits all solution to complying with GDPR?
A: There is a conceptual misunderstanding that GDPR is a set of rules that must be followed. This is incorrect. GDPR is a principle based system which requires a business to ensure that personal data is processed fairly, collected for a specified purpose, limited to that which is necessary, and is up-to-date.
What is considered to be ‘fair and ‘necessary’ will depend on the size of the firm and the nature of the business. The principle must be adhered to but there may be a multitude of ways to ensure compliance.
The New Data Protection Bill, will incorporate GDPR into UK Legislation. Currently (the Bill is still moving through the Houses of Parliament) there are six principles within the Bill: (1) Processing must be lawful and fair; (2) the purposes of processing be specified, explicit and legitimate; (3) personal data be adequate, relevant and not excessive; (4) accurate and kept up to date; (5) kept for no longer than is necessary; and (6) be processed in a secure manner.
Q: Surely only the compliance department needs to worry about this?
A: The suggestion that GDPR will only affect compliance departments fails to understand that GDPR defines personal data as belonging to the individual not the company in possession. Under GDPR, the owner of the personal data is entitled to know how their information is being used as it moves round the business. In certain circumstances, GDPR requires that a company employ a Data Protection Officer (DPO) to meet any concerns. The DPO may be the first port-of-call for an individual but they are not the last, as a DPO must report to the highest level of management (Board-level). Every part of the business must be using data for its prescribed purpose, and if there are any problems the board should know about it.
Q: It’s ok, I can’t be hacked – I have the best firewall in place, isn’t that enough?
A: Cyber breaches and data hacks may attract the greatest publicity but GDPR imposes a potential sanction for a whole range of far more mundane breaches. Failing to obtain appropriate consent from a data subject, or processing data for a purpose beyond that originally obtained, could attract censure from the Information Commissioners Office (ICO) depending on the procedures and policies in place to prevent repetition. The ICO will likely be more interested in the compliance in place to prevent data breaches than individual mistakes that may merely be a result of human or technical error. A single instance of accident is far less likely to attract condemnation than a failure to design appropriate safeguards.
Q: If I invest in technology will that solve the problem?
A: Technology is not the answer (at least not on its own), it is a means, not an end. Because GDPR is a principle based system technology will not be sufficient to provide “the solution”. The New Data Protection Bill is someway-off from its final draft; however, in the most recent readings, with a few exceptions, automated decision making, for example based entirely on a credit score, is to be excluded. There must be some human determination for data to be processed fairly. Technology will certainly assist in GDPR compliance; whether it will be to ensure that information is up-to-date, or to keep records secure. However, it is a myth to think that the purchase of a single piece of software, regardless as to the cost, will meet the requirements of GDPR.
Q: It’s just money and the fine won’t be that big will it?
A: The fines associated with GDPR are greater than any scale previously seen. A breach of certain provisions can extend to four percent of worldwide turnover, or €20million, whichever is greater. If you add the reputational damage, impact on share price, and the possibility of subsequent litigation by those subject to a breach, GDPR could potentially undermine even the largest company.
The best way to avoid non-compliance with GDPR is to obtain specialist legal advice. The principle based system means that one-size does not fit all. Look for appropriate advice from those able to assess the specific risks to the business.
For more information on how Blackfords LLP can advise you on GDPR see our service on data protection.
Naureen Shariff is a solicitor in the Financial and Economic Crime Team. Naureen specialises in defending those embroiled in white collar crime, complex money laundering, fraud, bribery and corruption, confiscation proceedings, restraint orders,
Sam Thomas is a Barrister at 2 Bedford Row and co-author of Cyber Security: Law and Practice. He is the Co-founder of CyberCounsel (www.cyber-counsel.co.uk, @CyberCounsel1) and provides a range of representation and advice in relation to business crime, data management and regulatory law.