Barristers-at-Law Quentin Hunt and Dean Armstrong QC discuss some of the most common misconceptions around GDPR compliance.
Share this article
Think you’re up to speed with GDPR? Eye watering fines, adverse publicity and severe reputational damage are all possible consequences of getting this new regulation wrong. But even now, with GDPR due to come into force on the 25th May 2018, many companies still don’t appreciate the financial and reputational implications of failing to comply – or the extent of compliance parameters.
1. There is a right and wrong answer to GDPR
One of the biggest legal issues with GDPR is that it is not a rule-based piece of regulation - like, for instance, the EU’s Markets in Financial Instruments Directive (MiFID) for investment intermediaries, or driving at 35 miles per hour (mph) in a 30mph zone. In both examples, there is a definitive answer with little need for interpretation.
GDPR, however, is what is known as principle-based regulation. This means it assesses whether data has been processed in accordance with designated principles, rather than black and white roles. For instance, GDPR will look at issues such as whether ‘effective’ consent has been obtained by its owner and whether that data is deemed ‘current’.
Both of these are matters of interpretation and, in the case of an investigation, that interpretation would be at the discretion of the Information Commissioner’s Office (ICO) and would involve a legally-based assessment. If you’re in any doubt about the interpretation of the data your business holds, it’s advisable to get specialist legal help sooner rather than later.
2. The fines are just the cost of doing business
GDPR fines are on a scale we have never seen before in data protection, and these fines have the potential to destroy a business. Certain infringements are subject to fines of up to €20 million or 4% of worldwide annual turnover – whichever is higher.
How much a business might be fined is predicated on a number of circumstances, such as the nature, gravity and duration of the infringement, the number of subjects affected, and any action taken by a company’s data controller to mitigate the damage.
But falling foul of GDPR isn’t just about the fine – there’s the reputational damage to consider. If severe, a breach could ultimately have a detrimental impact on share price, leading to the possibility of class actions and loss of consumer confidence.
GDPR is more than just just the numbers
3. If you’re outside the European Union, the change doesn’t affect you
If your business depends on trading with EU citizens, then you will still need to adopt data protection regulation that is as rigorous as GDPR, or more so. Anyone wanting to access the EU market has three paths open to them:
a. The first is by taking the Norwegian route and joining the European Economic Area, which requires that non-EU countries implement rules and procedures that are equivalent to those in the EU.
b. Bilateral trade deals with the EU typically result in the non-EU country having to agree to apply laws that are at least as demanding at EU legislation. This is the route Switzerland has taken. In both these instances, non-EU countries would have to adopt data protection regulations that are as strict as GDPR.
c. It is possible for a non-EU country to maintain independent trade deals without taking on the burden of equivalent obligations, but in this instance GDPR will still require ‘adequate’ protection to be put in place in order to allow EU members to pass information to the non-EU country.
In short, if your company is offering goods or services to EU citizens, or monitoring their behaviour, then GDPR will still apply to you.
4. This is a matter for my compliance team
Make no mistake: GDPR is something that every business leader needs to understand and be on top of. At its heart is the sanctity of personal data. This regulation enshrines the notion that personal data belongs to the individual and that businesses are mere custodians of this precious commodity.
This is a root and branch change in the way that every business uses, manages and protects data and it is your responsibility to ensure that your team understands what it means for their job.
When in doubt, turn to technology
5. Technology alone can fix any problems
A lot of people wrongly assume that GDPR is all about the data hack, and that if you bump up your cyber security measures then you’ll be okay. However, compliance by design and default is the GDPR mantra and technology can only solve part of the problem.
For example, a breach might take the form of someone leaving confidential papers on a train – and there’s nothing technology can do to mitigate that scenario. But GDPR also forbids reliance on automated decision making.
This means, for example, that mortgage companies can no longer approve or reject an application based on an automated credit score. Technology most certainly has a role to play in this, but there will also be a need for human determination and the ability to reverse a decision. Technology should only ever act as the handmaiden of bespoke expert advice in this area.
There’s still time to get your business in legal order but it’s worth taking the time to follow these steps to ensure your transition to GDPR compliance is as smooth as possible.
1. Regularly review your data, including the type you are collecting. Ask yourself:
a. Can any of this data be anonymised?
b. Where is the data going?
2. Review your processes for data breach notification, security and risk assessment.
3. Check your contracts – do you need to conduct a data protection impact assessment?
4. If you are a data controller, review your relationships with data processors.
5. Train your workforce. As mentioned, it is not enough to rely on your compliance or technical teams. Consider the following questions:
a. Do you need to hire a data protection officer?
b. Do you have adequate processes in place should employees have to handle a serious data breach?
c. Are your contracts – with staff and subcontractors – GDPR compliant?
d. Have you given your employees the correct information?