25th May as we know marks the day that the General Data Protection Regulation becomes enforceable throughout EU countries.
Ah, GDPR: the latest boardroom headache for NI companies, the golden opportunity for lawyers to warn of multi-million euro fines for non-compliance; in effect (as one client put it this morning) the 21st century’s variant on Y2K?
I don’t think this is the way to look at GDPR.
I’m of the view that the more people run around wailing of 20 million euro fines, and the more that GDPR is castigated as the death of data based business as we know it, then the greater the risk that businesses only focus on compliance. The shout goes up, “What’s the minimum we need to do to comply with GDPR?” and everyone starts to believe that as long as all (or most) of a series of compliance boxes are ticked by 25th May, the threat will have passed.
GDPR goes way further than that. 25th May is the start, not the finish line. Concentrating on short-term compliance misses the point: data protection has to become an ongoing and constant part of business culture, rather than an externally imposed one-off test. While GDPR requires a series of relatively complicated and costly steps, the overreaction to the prospect of fines has hidden the possibilities of reward NI business could achieve through working with the GDPR.
In this article, I’m going to target a series of GDPR myths. In doing so, I hope to persuade you that GDPR is just as much an opportunity as a burden: even if I don’t, I’ll at least have got you thinking about it.
MYTH 1: COMPLY OR LOSE €20 MILLION. The €20 million figure has been seized upon by lawyers and other GDPR consultants as a stick to compel businesses to comply with GDPR. In fact, the figure of itself is relatively meaningless. Theoretically, if a business were guilty of a sufficiently gross GDPR breach, it might suffer a far higher claim. The ICO might levy the maximum fine, which is the higher of €20 million or 4% of annual turnover. Then the people whose data was disclosed might sue the business for the breach – if they can’t show any financial loss, GDPR allows them to claim for emotional “non-material” loss, and typically this is less than £750 per person. So, if 10,000 people’s data was breached, that’s an extra £7,500,000 on top of the €20 million fine.
But the reality is that that’s just not the way the ICO works. The reality is that, in the 2016/17 year, the ICO concluded 17,300 data breach cases – and issued 16 fines. Just 16. The maximum fine has only ever been levied in exceptional circumstances. The ICO concentrates on working with businesses to explain why they’ve breached data protection law, to put in place remedial procedures and carry out inspections to ensure ongoing compliance.
MYTH 2: GDPR MEANS COSTLY CHANGES AND HUGE LAWYER’S FEES. Not true. Much of GDPR is centred around one key action that any business should be able to take: someone needs to sit down and spend time thinking how your business uses personal data. What data you use: how and from where do you obtain it, how do you use it, where do you store it, and who, if anyone, do you share it with.
The single action of carrying out this data audit means your business has already started to go with GDPR: the next steps are to document the various policies and data use statements required by GDPR. Templates exist for the majority of these documents: you should use your data audit to tailor standard form policies to reflect what your business actually does with personal data. None of these steps are especially difficult, and none require legal input.
Here’s where you’ll most likely need a lawyer: GDPR requires you to publicly state the legal basis for your data processing (often the basis will be that you do so with customer consent, but there are other important bases), and you’ll want a lawyer to check this. Your privacy policy may need some serious overhauling - thirdly, and equally importantly, any business contracts under which you provide or receive personal data will need to be checked. Depending on the scale of your operations, this shouldn’t involve huge legal fees – and you should always ask for a quote in advance.
MYTH 3: WHY BOTHER, IT’S ALL GOING TO CHANGE WITH BREXIT. Brexit is not going to see any slackening of data protection requirements below GDPR. There’s two reasons for this: firstly, after Brexit GDPR will interfere with the transfer of data from an EEA to a non-EEA country, unless that country has data privacy laws offering equivalent protection to the GDPR. Secondly, GDPR states that any processing of the personal data of an EEA individual which occurs outside the EEA has to comply with the GDPR.
MYTH 4: IT’S NOTHING BUT A BACKBREAKING BURDEN. The current climate of fear makes it easy to forget that there are real opportunities for businesses who adopt GDPR as a key theme for their business.
Yes, initial compliance requirements are complicated; yes, you may have to talk to lawyers, and yes (if you work really really hard at it) you may commit a data breach of such severity that you’re fined by the ICO. The fact that the principles of GDPR have pretty much been in place for 20 years under the current 1998 Data Protection Act isn’t, I suspect, going to be of much comfort to many.
But it’s 2018: we’re in the middle of an exponential growth of mobile technology use, and there’s a young, tech-savvy generation of customers out there, for whom data privacy is an important part of their use of mobile. NI businesses have got much to gain in taking on GDPR and proving themselves efficient and responsible personal data users.
There’s a real opportunity here: the ICO’s 2016 “Annual Track” surveys public confidence across the UK in how businesses use personal data. Trust varied between businesses: 53% of those surveyed trusted banks use of personal data, but only 32% trusted retailers. Businesses which can demonstrate data privacy integrity to meet GDPR standards will have a significant marketing advantage.
And here’s the kicker – that’s nowhere more true than in NI, where public trust in business use of personal data is conspicuously lower (43% trust banks’ use of data, and only 17% trust retailers).
GDPR – a pain in the butt in the short term, a business opportunity in the medium term, and in the long term the business norm our tech-savvy kids and grandchildren will expect.
Rory Campbell, Forde Campbell LLC February 2018
