Get the training you need with GDPR Sentry services

GDPR Envy: Data protection across the pond

Among all the questions about the impact of the GDPR, it’s interesting to see another perspective on concerns about personal data. This comes from consumers in the USA, a country with some mixed attitudes toward privacy in general. From a survey conducted in September 2017, PWC have produced a report for their Consumer Intelligence Series called Protect.me.

There are some fascinating insights into the representative American adult. Fully 45% of the sample thought that their email or social media accounts would be hacked in the next 12 months, 29% expected to be the victim of credit card fraud (really 29%?) and 21% expected their employer would be subject to a cyberattack.

It’s perhaps worth pointing out that 25% of the people asked thought they would have a lottery win in the next 12 months so despite the worries there is still optimism

Of the people asked only 10% felt they have complete control of their personal information. More than 70% felt that the company holding their data (the Data Controller from our perspective) was better qualified to protect that data compared to the Government. At the same time more than 80% felt that there should be regulations covering how companies can use personal data.

What’s interesting is something that makes it into the report almost as a throwaway line.
“Unlike the European Union’s approach to data privacy regulation—known as the General Data Protection Regulation (GDPR)—most US data privacy laws vary by sector, data type, or from state to state.”

Whether we are in the EU or not our decision to implement and abide by the requirements of the GDPR means that we are likely to be given trusted status. This means that there are more that 600 million people whose data can be processed here in the UK. It also means that firms in the EU will be able to outsource to the UK easily. Sometimes there are advantages to doing things as a group!

With the GDPR the Devil is in the details

Mention the UK and the EU right now you’ll almost certainly hear about Brexit.  Organisations pondering life outside of the EU may be forgiven for not being totally up to date with the details of the GDPR.

Take a journey back in time with me to 1963. Britain was trying to get into the six member club that was the EEC. General De Gaulle had just given his first ‘non’ because of a perceived lack of commitment to the principle of the community.

In the same year Richard Mayne the personal assistant to the first President of the EEC said

“On the principle that ‘the devil is in the details’, what should have been a merely formal occasion developed into a debate about the Community’s official languages and the site of its headquarters

It’s arguable whether De Gaulle was proven right in the end, but if the GDPR is anything to go by Mayne was spot on.

The problem is that despite the 99 Articles, the 173 recitals and the hundreds of pages of guidance there are still plenty of places where the regulations must be interpreted. There is discussion about how case law will develop around these blank spaces but who wants the be the name on the court case?

For organisations who are moving towards compliance a judgement must be taken on how to proceed in the world away from the ‘Eurocrats’ (reputedly another Mayne invention). There is a balance between being able to deliver service to customers, keep their information secure and avoiding enforcement action.

The 25th May is not going to be the end of the process by any means. We’ll all be adjusting our view of what the regulations really require for some time to come.

If you want help understanding what the GDPR means for you click here

Should you have a DPO?

The DPO, or Data Protection Officer, is a role that has been discussed at length as the GDPR has moved from concept to reality.

The DPO is responsible for:

  • Informing the organisation on its GDPR obligations
  • Monitoring that compliance
  • Being the first point of contact for employees and supervisory authorities
  • Training Staff
  • Conducting audits and supporting data protection impact assessments

There are requirements about how the role fits into the organisation. It must report to the highest level (to a board member) and have access to appropriate resources. The DPO must not be at risk of dismissal or penalty for doing the job. Conflicts of interest, such as decision-making responsibility for how data is processed, are not allowed.

You can assume that all the requirements were made with large organisations in mind.

Some organisations must appoint a DPO. Public bodies like schools and organisations that process large amounts of personal data must have a DPO in place for May 25th 2018. For others there is no mandatory requirement.

The question is, should you appoint a DPO anyway?

Organisations rely on accurate, well managed information, it makes great customer service easier and can be the basis of improved efficiency.

It may seem that the Data Protection Officer must be an IT expert but, in fact, it’s a process role. The best person to deal with the task may well sit in an Operations role or if you have someone responsible for quality management. This should avoid the conflict of interest issue, but there may still be some reassurance needed that they will be supported.

Thinking about compliance as a process you integrate with the day to day operation of the organisation, rather than an unknown external risk can remove the fear factor. Whether you give the title to a person or not, the tasks of the DPO can become part of business as usual.

Does your organisation need awareness training?