It is the final count down to GDPR (our GDPR countdown clock feels like it moves faster each day). As the ICO’s Elizabeth Denham, pointed out at the ICO Data Protection Practitioners Conference last month, there are just a few weeks until the GDPR comes into force. With that in mind, it seemed a good moment to provide an update on three areas the SocialOptic team have been working for GDPR, specifically:
- What you might want to do to help achieve your own GDPR compliance.
- What we are have done and are doing to be GDPR compliant ourselves.
- Features we are adding to our products to help you with GDPR compliance.
The Cambridge Analytica / Facebook story has probably been the best unintended marketing campaign for GDPR. From pictures of the ICO raiding offices, to the raised awareness of public concerns around data privacy, it has helped to focus business’ minds on data privacy and on the upcoming General Data Protection Regulation. As Elizabeth Denham noted from the stage “it’s been an eventful few weeks at the ICO.” It certainly has.
In the UK, as in many other countries, there is a degree of ‘now but not yet’ to GDPR, as we have to remain complaint with the existing laws, while getting ready for GDPR and also preparing for new local legislation. In the UK, that means dealing with the Data Protection Act (1998) – yes, it really is that old – while we await the new Data Protection Bill to be passed. Awaiting local legislation isn’t an excuse for delaying work on getting ready for GDPR, since the main regulations themselves have been finalised and established for quite some time. Likewise, May the 25th won’t be the end of GDPR work, it is an ongoing commitment for any organisation that handles personal data.
There are aspects that will require more jurisprudence and case law to finally settle, so expect requirements to evolve and to become more refined over the next few years. For certain specialist areas guidance has yet to be issued, and it is looking likely that it will not be issued before the May deadline. In the mean time best efforts and diligence are required to be ready. In case it isn’t already obvious, GDPR isn’t just a matter of changing a few processes, it represents a change in culture and a fundamentally different approach to compliance. It is not enough just to be compliant, you have to be able to demonstrate that you are compliant. Accountability is a core principle.
The ICO here in the UK has been at great pains to play down stories of big fines and rumours that they would ‘make examples’ of organisations. As one team member said, if a twenty thousand pound fine was the appropriate fine before GDPR, it will still probably be appropriate. The big fines will be reserved for the wilfully non-compliant, and those who cause genuine hardships. That said, the ICO has had nearly 50% budget increase this year and is on a path to hire around 150 new staff, and has also been given ‘pay flexibility’ to retain and hire the best people. This almost certainly makes them the largest and most well resourced data protection regulator in Europe. The GDPR gives the ICO powers to audit organisations and impose bigger fines. Ignoring the new regulations isn’t an option, however large or small your organisation is.
There is a sea of companies that have sprung up selling “documentation packs” for anything from 50 to 5000 pounds/euros/dollars. These packs in themselves aren’t going to make your business compliant, and from what we have seen they are very variable in quality. Some may help, some are actually deeply unhelpful. The ICO is very clear that the important thing is for organisations to go through the thinking required to be compliant, and to evidence that thinking. Downloading an HR policy pack isn’t going to get you to that – box ticking isn’t going to cut it. You need to go through a process of looking at what data you collect, what you do with it inside of your organisation, in terms of ‘processing‘ and storage, and who you share it with. Then ensuring that, for each set of data, you are working with it in a way that is documented and legal. You need to ensure that you are affording the appropriate rights to the people who’s data it is, which means processes to deal with requests for data, and a process for notifying them in case of a data breach. Many consultants make this sound like an exceptionally complex process, and indeed it can be in some circumstances. However, for most organisations it is actually a relatively straight forward process, although it is still time and resource intensive. All of the resources that most organisations will need are available, free of charge on the ICO website, or from your own regional regulator, if you are outside of the UK.
Over the next few weeks I’ll blog the process we have followed, with links to resources that are now available (many of which weren’t when we started). Data is central to what we do at SocialOptic, and good data governance is a contractual obligation for most of our customers and has been since the business started, almost a decade ago. We have tracked GDPR since its earliest drafts and were able to incorporate it into our plans. GDPR has been a good opportunity to look again at cyber security and data governance. Some highlights of the work:
- Obtaining Cyber Essentials & IASME accreditations.
- Enhanced staff training and confidentiality agreements.
- Enhanced Data Security Policy, with a regular review cycle.
- Data Governance Policy, covering asset registers, data quality and data handling.
- Automated security scanning, analysis and testing across our solutions.
- Universal use of encryption on all identifiable user data.
We worked backwards from where data leaves us, through processing and back to data collection. The reason for that is that supplier agreements and changes are harder to control that changes to how and where we collect data, where changes are being made closer to the deadline. It also had the advantage of baking in “data minimisation” – keeping the focus on the minimum amount of data we actually needed. Starting with the data you collect can seem like a logical first step, but it invites the temptation to waste time justifying collecting data, just because you already do, and before you have understood the real need for it.
We are using SurveyOptic to record our supplier audits and agreements, as well as asset registers, and of course, MilestonePlanner for timeline driven plans and check lists. Going through the process has also created a roadmap of new features for both products, which we are rolling out to support our customers in meeting their own requirements:
- More granular access controls – giving fine control over who has access to data, and which aspects of the data they can see.
- Advanced authentication methods, including Active Directory for SSO, and two factor authentication (2FA) and additional authentication controls.
- Logs and journaling to provide audit trails of when and how data was accessed.
- Data marking to flag sensitive and identifying data.
- Enhanced data export, to provide data portability.
- Built in support for handling data subject access requests.
We also want to support education about GDPR and responsibility for data protection, and so we are supporting the ICO’s newly launched “Your Data Matters” campaign and will be using it in our communications. We will be adding new security and privacy links to our sites in the next few weeks, and publishing updated policies. We continue to host data in the UK, with options to host data in other locations where required. For businesses getting ready for GDPR we have pulled together links to a set of resources on our GDPR page. The ICO has a growing set of resources, especially for small businesses, and we will update the “Small Businesses Data Protection and GDPR” to reference those. Additionally the following new tools and guidance from the ICO will be useful for businesses:
- Lawful Basis selection tool.
- Additional guidance on choosing a lawful basis for processing.
- Requirements for documenting data processing activity.
- Other items to document.