Is the GDPR bad news? (message to the board)

One can not open a newspaper or go on the web without being confronted with some articles on the GDPR (General Data Protection Regulation) which comes fully in force May 25, 2018.

Is this law bad news? To answer the question depends on the condition the reader is in. Mainly we can distinct three main stakeholders: the data subjects, the controllers and processors, and the Data Protection Authorities. There are of course more stakeholders (e.g. interest groups, the public opinion, media, etc.) but for simplicity lets stick to the three main ones.

We, readers of this article, are all physical persons and by consequence the protection of our privacy is a valuable good and the GDPR is a fine legislation to help us to achieve this goal. The GDPR re-enforces the rights and freedoms of the data subjects (physical person identified or identifiable). In general, data subjects can be happy with the GDPR and they find it good news even when one must admit that it is not always easy to have his/her rights respected, but at least there is a set of possibilities strengthening the data subjects’ claims.

Another party which is much impacted (and often forgotten) are the Data Protection Authorities (DPA’s) which see their power increase but also the number of their tasks. Moreover they will have to reach a level of quality, to work together with other DPA’s and with the European board and they will become much more visible. Some of their main challenges are the effective control/monitoring (including audits) of the legislation, the investigation of complaints, the creation of awareness for the public, the redaction of advices and guidance (in the GDPR many grey zones are still to be clarified), etc. Most of these tasks are new or at least more demanding than what was seen in the past. During the process of writing and voting the GDPR, many responsibles of DPA’s were negative (or at least hesitating) on the GDPR because of this extra workload and their fear not to get the right resources (qualified staff, tools, budget, clear definitions and standards). Now the law is voted they have to invest and go for it. And once resources are in place there is a good chance that they will also find the GDPR good news.

The answer most readers are interested in is how controllers and processors (private companies and public entities processing personal data) do think about GDPR (because most readers hold responsibilities in such entities). Are they enthusiastic?

The best approach is to let emotions out of the analysis and analyse the impact as board members do when discussing new challenges and evaluating risks.

The first observation I do when asked for advice is that there is often no doubt in the mind of a board member that the GDPR is a synonym for bad news. The legislation itself is rather a black box (as many new legislations, also for the GDPR it will take time to clarify, set standards, etc.), it cost time and money (and nobody knows how much), it impacts the whole company (and not only IT), and there is little guidance and on top of all of that they do not see the need why such severe legislation is required (it went well in the past, so where is the problem?). This attitude is understandable because board members, and especially in the financial sector, are emerged with new legislation and requirements, and as we all know, resources are limited.

An argument often used is that data subjects are careless with their personal data (reason that DPA’s have the task to create awareness and to educate the public) and controllers do not see why companies should be more catholic than the pope. Most companies pretend to be (and are) professional organisations and they assume being so that the way the processing of data is organised is offering sufficient protection. The general idea is that with some common sense they manage the personal data in what they consider a safe way and for appropriated purposes. Furthermore, they argue not to have any choice than processing personal data (even marketers give this argument knowing that the same conclusion are often perfectly possible with anonymous data). Personal data is needed to process the requests of the clients, to do marketing and even when personal data is sold to other parties, companies think it is in the interest of the data subject who gets a better service and is better informed with all the publicity he/she might get.

The GDPR sees things differently and be honest, not entirely without reason.

It is not because a data subject is ‘careless’ that a controller or processor gets full freedom to act. The basic principle of privacy legislation is that a data subject gives his data (and the minimum needed) to process his contract with the controller. The personal data can only be used for this specific purpose and once the contract is fulfilled and no further legal obligations remain, the data must be destroyed in a professional manner. During the processing the data subject may expect that his data is handled with respect and is sufficiently protected and kept confidential.

The GDPR is indeed a legislation which impacts the whole company. It is not enough to adapt IT systems, not even with the state-of-the-art in privacy by design methodology. Privacy risks are in all processes using personal data, in workflows, in end-user technology, etc. That is why a solid governance model is a fundamental requirement (this includes adequate documentation, policies and procedures, organisational and technical measures to protect the data, monitoring, reporting, tools (e.g. for breach management), a retention and destruction policy, training for all staff, etc.). This is indeed time consuming and costly if one has to start from zero (which is the exception because, after all, the existing legislation already requires many of these items). However one should not forget that once the effort is done to create what is missing and to update the existing, such a governance model creates trust and safes a lot of money (less monitoring, less exposure to complaints, fines, less repair, new business opportunities). It is to be compared with the cost of Compliance. For years this cost was mainly seen as a cost. Last year the FSA (English Supervisor) published a report on fines given to banks and the conclusion was that efforts done by the compliance departments of banks made that the number of fines dropped and compliance was worth the money spent.

Also for our commercial departments there is an important message: to have a solid privacy governance is a strong and attractive argument to make the difference from competition. Marketers, instead of being afraid that no business will be possible (or at least becoming very complicated) when respecting the law, will find out that more opportunities will rise.

A good governance model safes money because avoiding legal disputes is cost saving, because principles as privacy by design and default lower monitoring costs, a good model diminishes the risks inherent to the processing of personal data and thus the risks on breaches, costly repair efforts, and reputational damage or regulatory claims. A good governance model creates and maintains trust between all stakeholders.

Of course to get at that level some efforts are required and with professional help they are feasible. The GDPR may be presented as a revolution, but it mainly clarifies and enforces existing legislation (a.o. the Directive of 95), so it is not needed to start from scratch.

Companies in compliance with the GDPR have a clear competitive advantage on those which are not and in the near future this will become clear to all of us as more and more audits will be performed, media attention and awareness for privacy as a human right is more and more prominent, data subjects exercising their rights will no longer be the exception, actions by interest organisations, etc. , all will become part of our daily life.

For this we can state that GDPR also for controllers and processors should not necessarily be bad news.

But we should not be na?ve; the GDPR has the potential to become bad news. Confronting board members with the GDPR and its impact I often get the reply that action plans are only done because of the high fines. This was the purpose of the legislator, but is in fact a very weak motivator. No child got a better education just because it was afraid to be punished. We are after all not the dogs of Pavlov. The best motivator is to understand why it is important to be compliant.

I admit the fines might be considered important (is becoming a sort of competition between different legislations, which one has the highest fine?). However, fines should not become the trigger to rank risks. I explain: when getting a fine in traffic, the fine closes the issue and there are no further consequences. Fines in the framework of the GDPR (and this argument is also valid for other legislations) are just the beginning of the trouble. A fine does not close the issue. Next to a fine the controller/processor will get reputational damage, there will be data subjects requesting compensation for losses (moral or material), the regulators will impose an action plan (with strict deadlines) or even forbid further processing.

As we see in other legislations (e.g. the US sanctions legislation OFAC, the fine is only the top of the iceberg and companies are in general impacted more by the other effects and measures than by the fines itself)

Let translate this in a language board members understand: What is the risk for the company (or the public entity) not to be compliant?

The definition of risk is the “frequency” times “the impact” = the inherent risk. Mitigating factors reduce this risk till we get the residual risk. It is up to the board to accept this residual risk (risk appetite of the board).

And here we get the potentially real bad news. The impacts are a.o. the fines, action plans, reputation risks and even penal consequences when voted in national legislation. There will be a call for efficient organisational and technical measures, for training, for monitoring, reporting, for hiring specialised staff, etc. Bad news indeed, but it can be worse: the real risk is the volatility of the ‘frequency’.

During my contacts with many companies, even very large ones, I noticed that only a small number of privacy issues occurred. Main reason was that there were no tools or instructions to recognize privacy breaches and often incidents were considered only IT incidents. There was no awareness what so ever with staff to identify failing procedures or unlawful processing from a privacy angle. On top of that data subjects (only clients because staff did not dare to act) were only exercising very rarely their rights. In general, large companies have no more than 10 requests for access per year! This is indeed a neglectable risk frequency and easy to manage. Moreover most of these complaints (is wrong word because it handles the exercising by a data subject of his/her access right) were efforts by the data subject to hurt the company because the data subject was angry due to a commercial conflict not given a solution the data subject estimated as fair. So the exercising of the right was often not even in the spirit of the privacy law.

Now with the GDPR the frequency will rise exponentially and this for several reasons. First the data subjects get more precise rights, the obligations for the controllers/processors are also clarified and it will become very hard to defend weaknesses because the obligation to proof that the processing is compliant with the GDPR lies starting May 26, 2018 with the controller (and it will no longer be the data subject which has to proof that things went wrong and that he/she suffered some damage). Furthermore the GDPR recognises other parties as having also the right to act (even without a mandate of their members) such as consumer organisations. And last but not least, the data subject can formulate a request to access or report any violation of his rights and freedoms with any of the DPA’s in Europe or even at the European Board. These DPA’s have the obligation to investigate (until now they also did when clearly the law was not fully respected, but starting May 26, the requirements for the controller are more specific and controllers must be able to convince all stakeholders that their governance model resists critical analysis and complies. It must cover all processing.) and they will be more challenged because their evaluations will often be shared with other DPA's. The controller's answer must be complete, in adequate language and fully transparent explaining the processing and the governance model. The awareness campaigns, the mandatory privacy notices on websites, documents, the attention for privacy in media, etc. will encourage more and more data subjects to watch closely their rights.

In addition a data subject has the right to start simultaneously a procedure before a court of justice.

The ease for a data subject to exercise his/her rights in combination with the larger efforts required from the controllers/processors will create the need for a solid governance model in order to proof the compliant processing and the material possibility to answer all request within the deadlines mentioned in the law.

This volatility of the ‘frequency’ parameter will boom the inherent risk. And mitigating factors are essential to survive for each controller/processor. Mitigating these risks can only be done via a privacy governance model which is implemented throughout the all company and is a real part of daily life of staff and management.   

If after reading this you are convinced that the GDPR is bad news, it probably only means that you are afraid of the cost but do not understand the positive effect of the mitigating effect of a governance model, which will save money and create trust. And waiting will not solve the problem by itself. A good advice: take actions on your own initiative! It will allow you to run your project in line with other mandatory implementations you have to decide on and it will be much more comfortable than to have to do this under pression from clients, media, regulators, … because than the deadlines will be more strict, the stress much higher and the costs will rock sky high. A last suggestion: a quick win is to consider for each new project from the beginning the privacy requirements.

Yes, the GDPR can be bad news for those not prepared, but at the end, only for those.