From warnings that UK councils are underprepared for cyberattacks, to reports that the United States Securities and Exchange Commission has beefed up the rulebook for companies dealing with breaches, cybersecurity is seldom out of the headlines. The glare of the media spotlight has been further intensified by the imminent enforcement of the GDPR, which comes into effect on the 25th May.
Far-reaching in scope and imposing potentially hefty fines for violation, the GDPR marks a sea change in the way data is regulated. The new law, which requires private organisations and public entities alike to report data breaches to regulators in most circumstances, will have direct effect throughout the EU.
At the same time, organisations outside the EU, such as US-based companies that target consumers in the EU, monitor EU citizens or offer goods or services to EU consumers (even if for free), will also have to comply.
Brexit is no escape
Importantly, for UK firms, Brexit is no get-out-jail-free card: not only will the UK still be a part of the EU on the GDPR’s implementation date (and so the GDPR will automatically apply), but the UK Government has all but committed to retaining the laws post-Brexit to ease the transition.
And with the UK’s Information Commissioner (ICO) Elizabeth Denham declaring in a speech last year that the GDPR is ‘about moving away from seeing the law as a box ticking exercise, and instead a framework that can be used to build a culture of privacy’, preparation is not only advisable, it is essential.
After all, with the sustained media interest in cybersecurity, falling foul of the law is liable to inflict significant reputational damage, not to mention potential fines of up to €20 million or 4 percent of global turnover, whichever is greater, in serious cases.
The need to ensure effective compliance is particularly pronounced for datacentres and businesses operating in the IoT space given the amount of information collected and stored, and the potential weakness in wireless technologies, which can be exploited by hackers. To start with, businesses should be aware of the following key points introduced by the GDPR:
- Consent
New rules are introduced relating to the collection of data, e.g., consent must be “explicit” for certain categories. Existing consents may no longer be valid and consents obtained going forward should meet this new threshold. In addition, IoT products, which incorporate privacy settings, should, by default, be set on the most privacy-friendly setting, although users can be given the option to change these settings as part of an initial set-up process. - Enhanced rights for individuals
New rights will be introduced around (i) subject access; (ii) objecting to processing; (iii) data portability; and (iv) objecting to profiling, among others. The right to data portability empowers individuals to request that their data be transferred to a third party, likely a competitor, in a machine-readable form. - Privacy policies
Fair processing notices will now need to be more detailed so organisations will need to ensure that policies are updated. - International transfers
Binding Corporate Rules for controllers and processors as a means of legitimising transfers will be expressly recognised for the first time and so should be considered as a transfer mechanism for data transfers out of the European Economic Area. Also, if the UK leaves the European Union without a “data-deal”, transfers of personal data between the UK and Europe may not be permitted unless safeguards are in place. Businesses should examine affected data flows now and develop contingency plans for data transfers post-Brexit. - Breach notification
New rules requiring breach reporting to regulators within 72 hours, and the individuals affected (subject to conditions), will be introduced and so processes in place (or not) will need to be revisited to accommodate these rules. - Accountability
Crucially, those caught will be required to show compliance e.g.
- (i) maintain certain documents;
- (ii) carry out Privacy Impact Assessments;
- (iii) implement Privacy by Design and Default (in all activities), requiring a fair amount of upfront work.
For example, when developing an IoT product, a risk assessment will be required to review the sensitivity of the data collected and detect potential risks.
More than a quick fix
A keynote of the legislation is the drive to promote accountability throughout an organisation. It is not enough to bet the farm on a quick fix, “out of the box” technological solution, organisations instead need to consider compliance in real, proactive terms, and should prioritise the following as a minimum:
- Prepare and update the data security breach plan – to ensure new rules can be met if needed.
- Set up an accountability framework – e.g., monitor processes, procedures, train staff.
- Review privacy notices and policies – ensure these are GDPR compliant. E.g. do they provide for the new rights individuals have?
- Audit your international transfers – do you have a lawful basis to transfer data? How will transfers continue post-Brexit?
- Audit your consents – are you lawfully processing data? Will you be permitted to continue processing data under the GDPR? What are the default privacy settings on your IoT products?
For those businesses who have yet to consider their obligations, the advice is to start thinking about compliance under the GDPR as soon as possible. Not only will compliance be crucial for retaining customer trust, it should also help avoid substantial damage to both your reputation and bottom line. Whilst the GDPR’s implementation date is 25 May 2018, as the Irish Commissioner recently went on record as saying, companies do in fact need to be compliant by 24 May 2018 as investigations for non-compliance begin the day after.
Rafi Azim-Khan is head of data privacy, Europe at Pillsbury Law. This article was co-written with Steven Farmer, counsel at Pillsbury Law