GDPR is maturing. But is it growing up fast enough?
In 2018 the General Data Protection Regulation (GDPR) was unleashed on the world (well, Europe) and it seemed for a while that the world had lost its collective mind! Executives across the land seemed to be in a state of panic as ‘snake oil’ peddlers spread fear, uncertainty and doubt and then offered ‘GDPR-compliant’ software and services. Neither of these can - or do - make you compliant. However, if you were listening carefully and could hear above the hue and cry, you will have heard data protection and security professionals telling you not to panic, and that there is no such thing as GDPR compliant!
Hopefully you heard these professionals, started to listen to them, and took action. Hopefully you dedicated time and resources to understanding what data you held, and ensuring you could evidence that you were protecting your organisation’s data appropriately, and that you were basically Giving Data Proper Respect. If you did, then that’s great. Well done you. But wait… that was almost 12 months ago. What have you been doing since?
GDPR – the toddler years.
Where are you with your GDPR compliance programme now? Now that it’s one year old.
Is it walking yet? Is it still crawling? Or is it laying on its back with its leg in the air making questionable noises and smelling a bit ‘off’?! If you were paying attention to the professionals twelve months ago, you will know that the GDPR was evolutionary not revolutionary in terms of data protection. But the GDPR did seem to catch a lot of people out, and many ran around ‘getting ready’ for the May 25, 2018, and then… they did nothing. All activity seemed to stop, and it has not gone unnoticed.
At the recent Data Protection Practitioners Conference held in Manchester, the Information Commissioner Elizabeth Denham stood on stage and gave an address which was both celebratory and condemning in equal measure. She celebrated the fact that the world is now looking to the UK and to the GDPR as a ‘best practice’ for data protection and for protecting the rights of data subjects to privacy and to have their data handled with greater care. But she also lamented the shocking lack of respect many larger organisations have shown in protecting data from cybercriminals. She also lamented those profiting from the general public’s lack of understanding surrounding data protection and their rights not to have their data sold to the highest bidder.
Elizabeth Denham is right to be concerned about what we’re seeing in relation to data protection, because a lot has been happening over the last twelve months and not all of it is good.
Cybercrime is on the increase
It doesn’t really matter which cyber security survey you wish to reference, they all agree on one thing – cybercrime and data breaches are on the increase. Possibly the most shocking and telling quote from all the reports and surveys available is the one from the UK Active Defence 2019 report which states that you are more likely to be a victim of cybercrime than any other crime in the UK. This includes burglary, car theft or physical assault. So whilst we lock up our homes, park in well-lit streets and avoid the dangerous neighbourhoods, we still leave laptops on trains whilst we grab a coffee, share passwords and throw away old computer equipment intact.
And if you are reading the surveys that state X number of companies have experienced a cyberattack or data breach, I would ask you to consider the fact that X is normally massively undercounted. This is because many organisations who have become victims of cybercrime won’t admit it, and others don’t even know they have been the victims of a cybercrime. My question to you is, if you don’t think you’ve been hacked or had a breach, how do you know? When did you last check?
Cybercrime is big business
According to research carried out by CISCO and Cybersecurity Ventures, by 2021 the cost of cybercrime to the global economy is expected to be reach around $6 trillion every year. This number far exceeds the cost of natural disasters globally, and even outstrips the profit made globally from illegal drugs. Ransomware is the current tool of choice, with this method of attack increasing by 350 percent in 2018, and expecting to cost the global economy $20 billion by 2021.
Data Breaches are on the increase
Over the last twelve months, there have been some significant data breaches caused by cybercriminals (e.g. T-Mobile – 2 million accounts breached) and also by companies placing their trust in third-parties, who then subsequently let them down (e.g. British Airways – 380,000 details leaked). But let’s not forget the misuse of data by companies who sell our data to third parties without our knowledge or permission (e.g. Facebook/Cambridge Analytica – 87 million). Stories like these have been hitting the headlines with an increasing regularity, and they show no sign of slowing down.
Accountability is not an option
The GDRP enshrines in law an onus on companies to understand the risks that they create to individuals with their data processing, and to manage those risks appropriately so that individuals don’t become one of the statistics named above.
And if it’s escaped your notice, it’s worth remembering that the GDPR is the law. There’s no escaping it. If you break the law then you will be held accountable. Indeed Elizabeth Denham said just that at the conference, stating that ‘accountability is a legal requirement. It is not optional.’
Accountability is often referred to as the seventh principal of the GDPR, and is seen as an overarching principal that covers the whole regulation. The intent is to ensure someone can and will be held accountable should something go wrong. For the avoidance of doubt, if you are the business owner or CEO of your organisation then that someone is you. Ultimately you are accountable for how data is controlled within your organisation and you will be personally held responsible for any breaches or incidents that happen ‘on your watch’.
Now please don’t complain and say ‘But that’s why I hired X’, because there are too many other questions that can be asked following that exclamation. Questions like: Was X given the resources they needed? Were they given the time to focus on data protection? Did they have the training? Were they given the authority to implement GDPR processes? And why was it only given to X? What about Y? What about A, B and C? Why didn’t they get involved?
Like it or not, Accountability starts and ends with you. But that’s fine, right? After all, you’re an ethical person and you want to do the right things. So no problem.
Ethical Data Protection
In the last twelve months, if you haven’t been living under a rock and you’ve been able to look beyond the Brexit headlines, you’ll have heard of some of the incidents I mentioned above. You might also have sensed a bit of a sea-change in respect to data protection and privacy from your employees, clients/customers and suppliers.
This has been brought about by the events already discussed, but also because data subjects are now more aware of their rights in relation to data protection. One might suspect this is due in part to the GDPR and the training many received in their employment. This has led to an increase in complaints to the ICO (around a fifteen percent increase) about bad practice and also an increase in requests to exercise their rights to individual companies.
Of course Facebook helped to raise questions about ethical use of personal data and led many to ask for clear understanding on how their data is used, who it is shared with and why. Facebook has a hill to climb, but they are making all the right noises by suggesting that they would like to see further legislation surrounding the use of social media sites (the cynic in me tells me that there is more to this than meets the eye, but for now we’ll leave it here).
What this is all leading to is a more ethical approach to data protection, and for those still paying attention let me tell you that this is where companies will benefit from good data protection practices, because it is those organisations who adopt ethical behaviours in the use of data that will thrive in the future.
But what does it mean to act ethically?
If you have to ask this question then I guess we have deeper problems, but to act ethically in relation to data leans towards the act of demonstrating respect for individuals and their data. (Remember, it belongs to them, not you. You are merely processing it on their behalf). To act ethically towards data protection means being honest, fair and transparent about how you will process someone’s data and you will do so by upholding their individual rights. You can’t be ethical towards data protection if you are simply ‘ticking a box’. To quote Elizabeth Denham again, ethical data protection is about seeing data protection as something that is part of the culture and fabric of your organisation.
If the last twelve months was your opportunity to put ‘bottom-line-compliance’ in place, then it’s now time to embed a more comprehensive data protection compliance programme within your organisation, and act ethically with that data. This means giving everyone a slice of the data protection pie, and embedding good data protection practices into every area of your business or organisation. Sound tough? Not really. Here are a few ideas.
Take Action: Data Protection in Practice
Firstly there needs to be visible demonstration of support from the Board for matters related to data protection. Gone are the days of paying lip-service to this topic. The ‘tone from the top’ needs to be one of determined intent, because this is a Boardroom issue. If the Board isn’t taking this seriously then the data protection compliance programme will fail. As the saying goes; ‘The fish rots from the head down’. But don’t think that you can simply appoint a Data Protection Officer (DPO) and think that you’ve done all you need to do. You still need to actively support this person, and give them the resources they need to develop the cultural shift in thinking across the organisation.
If you have identified a Data Protection Officer (DPO) to lead your ethical approach to data protection, then you need to ensure they are actively engaged in every area across your organisation. A simple idea to ensure everyone is engaged in data protection is to make it an organisational objective, which then translates into individual objectives and targets. It’s a quick, simple and effective way to get everyone focused on what you’re trying to do and will demonstrate a real commitment from the Board to ethical data protection.
If you haven’t identified a DPO yet, remember that it is a key role and their experience is vitally important as they need to have a mix of legal knowledge, cyber security capabilities and business analysis skills. It’s an unusual mix of skills, knowledge and personality because the person will need to be able to communicate in a way that brings everyone along on the journey with you.
Of course there is so much more to the GDPR than we’ve covered here. But if you’re still reading, then I’m confident that you have what it takes to develop a strong ethical data protection programme within your organisation. The DPO will help develop your programme, but remember that accountability still rests with you, and the Board. Never lose sight of that fact.
We are moving from a world where compliance was thought to be enough, to a world where a genuine commitment to ethical data protection is required. We are all at a crossroads - personally and professionally - where we can either care about data protection and privacy, or we can continue as we have in the past.
For those who ignore data protection, they will place themselves at risk from data breaches, fines and cybercrime and will most likely be one of the statistics named above. For those who can see the benefits of acting ethically with data, there is a brighter future. Is this path clear? Easy? Guaranteed for success? No.
But it leads us away from complacency and towards becoming a more ethical and trusted organisation. One that Gives Data Proper Respect. And isn’t that the kind of company we should all aspire to be?