The GDPR compliance dinner took place on the 22nd November at the South Place Hotel, in partnership with DocuSign. DocuSign are the answer to the question of how signatures go digital; they have also brought out tools to help businesses demonstrate compliance with GDPR.
As the deadline for compliance approaches, members were able to share their experiences with handling the challenge and ask any outstanding questions. It also gave members an opportunity to talk to Phil Lee, a partner at Fieldfisher, specialising in privacy law, whose insights were extremely valuable.
The views and opinions expressed below are not legal advice, and should not be taken as such. They are a summary of useful principles for tackling the organisational problems inherent in preparing for the law, rather than advice relating to the law itself. As such, any legal statements do not represent the opinion of Nimbus Ninety nor their partner DocuSign. We strongly recommend that you seek professional advice when tackling specific legal issues.
The State of Things
There was always data, and it was always valuable. But data has been formalised into an asset by companies and now by governments. As an asset, it has been collected and produced exponentially. Hence, laws are necessary. Data is like oil; it’s a nightmare to clean up.
GDPR, the law in question, has its heart in the right place. It reasserts that individuals own the data, where the question of sovereignty arises. But it is also an immense challenge.
For many CTOs, GDPR poses just as much of an opportunity as it does a threat. The CEO, previously uninterested in boring infrastructure campaigns, has looked at the ‘4% of turnover’ possible fine and is ready to give their attention. This is a great excuse to build out an internal data governance program, or finally build a back-end system commensurate to the needs of the company.
Businesses must be acutely aware of three fundamental traps: not budgeting enough time for the changeover, seeing it as a “just legal” question, and failure to demonstrate compliance.
Data infrastructure must be idiot-proof. Employees are not idiots, but “data” has only recently been formalised as an asset and previous casual uses of data will now become illegal in a considerable cultural shift. For example, copying personal data into a notebook for use elsewhere is probably not appropriate. Employees need to know this.
Otherwise, personal data gubbins could get caught in what should be a clean system. One anecdote runs that an employee emailed their own password to themselves. This was caught in the CRM system. Because of the laziness with which people fail to change passwords, this could probably be used to access several personal accounts of the individual.
One important and immediate concern is to wrap any data that individual employees or departments might download from a central data reserve, in the kind of smart code wrapping that can destroy it at such a time when the central data reserve is destroyed.
Another idea is to set up specific separate systems for logging sensitive and non-sensitive data; otherwise, employees will start using sensitive data where they shouldn’t, or will fail to take advantage of non-sensitive data to the full extent.
A third is to formalise processes that are informal, and involve mucky data practice. For example, a secretary given the login to their boss’s emails, or, a sales team being permitted to log in to the LinkedIn account of the CEO to make new connections. This is more serious than having to make rules - they must be good rules. If they are not intuitive and hassle-free, people will find work-arounds.
It is therefore not good enough to be idiot-proof. It must be genius-proof.
GDPR splits up ‘processors’ and ‘controllers’ and then asks everybody to be accountable for everything.
The problem of trying to get partners to comply is more widespread than it should be. Reasonably enough, people from outside the EU do not feel that the law should apply to them. But it does, and where a company is big enough, it may require using organisational leverage.
For big companies dealing with small partners, the agreement isn’t the issue. “No Problem!” and “How High?” are the refrains of small businesses landing massive contracts. It may be worthwhile checking this. “Accountability” means that you must be able to demonstrate you are following the law. If you can do it for the ICO, you can do it for your partner.
Small businesses dealing with bigger partners face a rather more opaque challenge with less leverage. The best thing for dealing with regulators is to be able to show that you took reasonable steps to make sure that the data you were controlling was being processed responsibly (or vice versa). The ICO has a reputation of pragmatism but you must take all steps within your power to demonstrate that you have worked to be as compliant as possible.
Interpretability and Risk
Compliance always involves some level of risk. Elements of the law aren’t clear and will be thrashed out in courts afterwards. Also, there is one law but many enforcing bodies. The UK ICO is pragmatic; Germany reputedly takes a more hard-line approach due to historic and cultural differences.
People will also try to move around the definitions and interpretations to suit their end goal. For example, some tech giants invite you to upload your address book, which they match to your profile. But whose personal data is that? Yours? Or your friend’s, whose phone number the company can cross check versus a third friend with the same contact? (It is possible we will find out the answer to this question in a legal battle).
But retrospective consent is probably the most ambiguous and difficult area facing large companies. As well as “freely”, “specific” and “informed,” data consent must now be “unambiguous,” which essentially indicates affirmative consent. Which is fine; but all previous data can only be used providing it has met GDPR standard.
Many companies have such antiquated infrastructure they don’t know the answer to whether the data was ‘validly’ entered or not. Framing the conversation with customers who don’t ultimately want the extra friction may involve an ambiguous outcome. This is the technical challenge at the heart of GDPR, and could be the line over which some companies step to be fined. Do you delete the database?
GDPR will probably be compounded by other big regulations down the line. Regulation begets regulation. Once something is controlled, it is easier to then write extra rules. EU law is a surprising and unwieldy beast. Hopefully they will continue to empower the consumer without slowing innovation.