Updated 25 May 2017: The General Data Protection Regulation (GDPR) comes into force in just one year today. Information Commissioner Elizabeth Denham marked the countdown by calling it "the biggest change to data protection law for a generation" in a video speech addressing British boardrooms.
The regulation takes effect on 25 May 2018 and the British government has confirmed it will adopt the legislation while the country remains in the EU and mirror it once it leaves.
The regulation enforces complex data obligations for companies that current policy is unlikely to satisfy, and issues damaging fines for breaches.
But with one year to go until implementation, many businesses remain entirely unprepared. Technology advisory firm Gartner predicts that by the end of 2018, more than half of them still won't be fully compliant with the requirements.
“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance," warned Denham. "But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit."
The ICO (Information Commissioner's Office) also used the day to launch an updated data protection toolkit for SMEs, its Information Rights Strategic Plan, and to relaunch its 12 steps to take to prepare for GDPR guidance.
GDPR explained: What is the GDPR?
The GDPR was adopted by the European Parliament in April 2016 following four painstaking years of deliberation. The provisions reinforce data protection in line with contemporary concerns about personal information, and applies to both EU member states and to organisations outside the union when processing the data of citizens within it.
"The GDPR introduces obligations for data controllers and processors in several areas," minister of state for digital and culture Matt Hancock told the House of Lords EU Home Affairs Sub-Committee on 1 February.
"It strengthens the rules for obtaining consent. It strengthens the need for breach notifications and it emphasises self-assessment in the management of data. We have said that the UK is going to implement GDPR in full, and there's two reasons for that.
"The first is because we think that thanks to some significant negotiating successes during its development we think that it is a good piece of legislation in and of itself. That's the first thing.
"And the second is we are keen to secure the unhindered flow of data between the UK and the EU post-Brexit, and we think that signing up to the GDPR data protection rules is an important part of helping to deliver that.
Regulations have been harmonised to ease compliance, with one set of laws applying across all 28 member states. The clarity comes with severe penalties for violations. Breaches could result in a fine of up to €20 million (£17 million) or four percent of worldwide revenue, whichever is higher.
The sweeping legislation presents a range of compliance and operational challenges for British businesses, requiring thorough planning and additional resources.
GDPR explained: Company fears
Almost 40 percent of businesses are fearful of a major compliance failing, while just under one-third (31 percent) are worried about reputational damage from poor data policies, according to a Veritas survey of more than 2,500 senior technology decision makers.
Collective responsibility is essential to prevent such fears being realised. The GDPR requires privacy protection by design and by default, which entails a comprehensive compliance programme supported throughout the organisation, according to a report by privacy think tank the Centre for Information Policy Leadership (CIPL).
It recommends embedding data security requirements throughout the organisation at every stage of each business processes, from planning to release.
Confusion reigns over who bears responsibility for the regulation. Almost one-third, (32 percent) of respondents believe the chief information officer is responsible, versus 21 percent for the chief information security officer, 14 percent for the chief executive officer and 10 percent for the chief data officer.
According to the CIPL report, they all are.
"GDPR and data privacy compliance are closely related to a company's data strategy, big data and analytics, and data-driven innovation," it states.
"It also supports the fact that data is critical to many business processes, products, and services. This is why GDPR implementation must be a concerted effort across the organisation, with the DPO working hand-in-hand with Chief Data Officer (CDO), Chief Information Officer (CIO), Chief Information Security Officer (CISO) and other senior leadership.”
"The board needs to understand the implications of the GDPR and be bought into the need to make enhancements," says Mark Thompson, the global privacy advisory lead at audit, tax, and advisory firm KPMG. "This should result in the funding being made available to undertake a privacy improvement programme."
GDPR explained: Consent and accountability
The form consent now required could force some organisations to approach the same individuals again for further permission to use their data, but those that are already following good practice should be okay.
"What the GDPR requires is that organisations actually have consent as a standard which is at the level of the GDPR," says Head of International Strategy and Intelligence at the UK Information Commissioner's Office (ICO) Steve Wood. "But if your content is of a high standard now for the personal data you're processing, then you can continue to rely on that consent under the GDPR.
"GDPR is creating a greater focus on making sure that consent is specific and granular as well. GDPR is focusing on the record-keeping around consent and the audit trail you need to have.
"Consent has got to be easy to withdraw and you're going to need to be able to clearly name your organisation and make that clear to individuals and also the third parties of whom the data may be shared with."
Any complex technology used must be fully comprehensible in simple explanations. Artificial intelligence, for example, will require a level of algorithmic transparency that can be understood by an average person.
There should be no ambiguity and evidence should be provided of affirmative action being taken. Consent mechanisms must be prominent, concise, and easy to understand in each individual chunk of data and collection method.
"It's crucial that it's sustainable," says Wood. "Accountability isn't just used for a project which an organisation thinks is very risky, but it's available to the organisation to be able to use in a routine way, depending on the risk, in order to enable that sustainable approach. And it's got to be embedded in the organisation. There's got to be a range of people who actually can take responsibility for different parts of the process.
"The key thing as well is not to see all of these elements in the GDPR as individual elements, but to think of them as part of an overall accountability framework. So the DPO [data protection officer] drives accountability, documentation provides the evidence of compliance, DPIAs [Data Protection Impact Assessments] lead to that identification of risks and can help with evidence of legislation. Data protection by design builds in that accountability and the mitigation of the risk."
GDPR explained: Reporting security breaches
"What the GDPR also does is strengthen the safeguards against that and the disclosure requirements where there's been a data breach," said Hancock.
Data controllers must notify data protection authorities of any breach that risks the rights of individuals within 72 hours of their becoming aware of it and any affected individuals in the case of a high-risk breach as soon as possible. When a data processor discovers a breach, it is their responsibility to notify the controller.
"At the moment a provision like this doesn't exist, and this will strengthen both the higher safeguards and the more robust notification of breach procedures, [which] will I think significantly strengthen the data protection of the UK," Hancock added.
Many organisations will already have a procedure for reporting breaches and an internal plan for responses.
"This will enable them to comply with the new requirements for notifying data protection authorities and individuals affected in the wake of a breach," states the CIPL report.
"However, unlike in the US where breach notifications are mandatory in almost every jurisdiction, only a minority of organisations conduct 'dry runs' of their breach notification plans, have cyber insurance, or retain public relations and forensic experts."
Implementing these measures will go a long way towards ensuring the reporting requirements are followed.
GDPR explained: High-risk data
Formal Data Privacy Impact Assessments (DPIAs) are required when using new technologies and for any data deemed “high risk” to the rights and freedoms of individuals.
These include systematic and extensive processing activities, large scale processing of special categories of data or personal data relation to criminal convictions or offences and large-scale, systematic monitoring of public areas (CCTV).
Establishing a risk assessment framework is a wise way of managing data privacy and ensuring compliance. The Information Commissioner's Office (ICO) recommends including a description of the processing operations and purposes, an assessment of the needs of the processing in relation to the purpose and an assessment of the risks and the measures in place to address them.
There are also new data portability rights that allow an individual to easily move, copy or transfer their personal data across different services.
This data must be provided within one month of it being requested, and may also need to transfer it directly to another organisation if this is feasible. It must be done free of charge and in a common, structured and machine-readable format.
Organisations must also protect individuals' right to be forgotten when their data is no longer relevant or necessary. Procedures should be established to support both these requests.
Data processing policies and practices are another aspect that will require a review, as processors are now subject to GDPR obligations and the requirements of their processing agreement with a controller have been expanded. Internal records must be kept of all data processing activities, with the data tagged and classified.
GDPR explained: What about Brexit?
The implementation of such transformative regulation represents a major challenge for British businesses, augmented by the impact of Britain's the impending exit from the European Union. Waiting to act would not be wise, particularly as the UK will continue to apply the regulation.
"The approach that we've taken in order to maximise the ease with which we can negotiate an uninterrupted and unhindered flow of data is to put GDPR into UK law in full, so in a sense we are matching them rather than asking them to match anything new from the UK," said Hancock. "We're starting from a position of harmonisation rather than from a position of difference."
Non-EU companies still have to comply when the data passes through the EU, even when they have no influence on its direction. The uncertainty will inevitably risk breaches if a comprehensive transitional agreement isn't in place.
"The UK will become a 'third country' under the data transfer rules in the GDPR," says Alistair Maughan, a partner in the London office of international law firm Morrison & Foerster.
"In this case, personal data can only be exported by a business established in the EU to a third country, such as the UK, if there is an "adequate level of protection" for such data, unless certain conditions have been met.
"This may require businesses to put in place alternative data transfer arrangements for transfers from within the EU to the UK, at least for a period of time while adequacy status is confirmed."
GDPR explained: Getting prepared
Gartner recommends that organisations prioritise five specific actions to prepare for the impending requirements. They begin with the appointments of two roles dedicated specifically to data protection roles: an individual to act as a contact point for the data protection authority (DPA) and data subjects, and a data protection officer (DPO) to ensure processing operations are compliant.
The remaining recommendations are to demonstrate accountability for all processing activities transparently, check how data flows across different borders both within the EU and outside it, and prepare for data subjects to exercise their extended rights, in areas such as the right to be forgotten and to be informed of a data breach.
IBM has developed a five-step approach of their own to help organisations ensure they're ready for GDPR. The "5 Phases to Readiness" breaks preparation down into separate steps: assess the GDPR readiness, design an implementation plan, transform the organisation wherever enhancements are needed, operate along a framework designed to ensure compliance, and conform on an ongoing basis to GDPR standards.
"It's having a battle plan," says IBM Global Head of Cyber Security Intelligence Nick Coleman. "The practical [part] is prioritise the resources, prioritise support, prioritise what capabilities you need at what level of maturity to be able to get you in a state that you feel comfortable with by May 2018."
The scope of the regulations means a global outlook is required, and an understanding of them at every level of the organisation. The international implications of the GDPR go beyond the EU member states, as the GDPR rules will apply to whichever territory has a role in using the data.
"This is a global project," says Coleman. "It's the data subjects' data wherever it resides. It could be in New York, it could be in Singapore.
"What's clear is one person is not going to fix it, this is going to have to be a business-led approach which looks at the whole business model and how these requirements come into play.
"I see the chief privacy officer as a real champion for many in the organisation to help get their awareness raised and to make sure that people understand this and then we'll need the full support of the business and also colleagues in different parts of the business; technology; operations; all those other areas of the business, to really help them make it happen. Who's responsible? Everybody's responsible."
GDPR explained: Staying positive
The implications of the GDPR may appear overwhelming, but the regulations should have a positive impact on both the public and the organisations responsible for upholding them.
"GDPR also represents an opportunity for organisations to consider data privacy compliance more strategically and holistically, as it becomes key to their data strategy and the digital transformation of their business,” says Bojana Bellamy, president of the CIPL.
With the appropriate planning, policies and staff training, the regulation, organisations can benefit from greater support if the public feel comfortable that their data is being protected, says Information Commissioner Denham.
“I see this as good news for the UK. One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world. That is why both the ICO and UK government have pushed for reform of the EU law for several years," she wrote in the ICO blog in November.
"The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information."