We have been speaking at a number of conferences over the past few weeks, and it has been fascinating to discuss the General Data Protection Regulation (GDPR) one month on. It is great to see that so many organisations have viewed the regulation as a real opportunity to engage with their clients and customers in a more meaningful way. It also seems that serious thought has been put into which activities to prioritise, how to bring together stakeholders across the organisation and ensure that everyone is aligned to the changes.
A few days ago, while delivering a presentation at a conference, attendees remarked that they had prioritised areas of focus to get them over the finishing line with their GDPR compliance, but there was a lingering sense that there was yet more to be done. This view was confirmed by the results of our research which addressed participants at the recent Infosecurity Europe conference. The results showed that 43% of respondents had had to embark in substantial work to meet the requirements of the new GPDR legislation but 48% are still not entirely sure how these will tie in with new upcoming regulatory and legal changes, including ePrivacy, Brexit and the NIS Directive. With regards to the latter, 44% of the respondents stated that they were unaware of whether new legislation would apply to them, or not.
Furthermore, 38% of respondents outlined how they are – or will be – deploying internet of Things (IoT) or Artificial Intelligence (AI) based tools, which will need to meet both GDPR and highly ethical standards.
This all leaves one lingering question – where do we go from the GDPR?
Before you can answer this, it’s important to understand that the GDPR is a journey, one which only started on 25th May. As a result, companies should be reviewing their current position and focusing on some, if not all, of the following:
- Third party contracts: this is probably an area that many organisations have approached using a risk-based methodology, concentrating on reviewing the most relevant contracts first. However, now is the time to look at warranties and liabilities very carefully, depending on the controller / processor relationship.
- Record of Processing Activities: most organisations we have worked with have put a lot of effort into this essential requirement. Ensure these tools are not abandoned but kept alive and updated.
- Brexit: at present, we do not know whether adequacy will be an option or whether it will be possible to achieve an ad-hoc data sharing agreement with the EU, which is the preferred solution by the Department for Exiting the European Union. Obviously, the spectre of becoming a ‘Third Country’ is there, so companies operating at an international level need to start thinking about how to ensure business continuity post Brexit. We recommend looking at your most important contracts to ascertain whether inserting Standard Contract Clauses is a viable option, or whether the organisation needs to start a journey to achieve Binding Corporate Rules. What is key above all else, is that a clear map of which countries the data is shared with, where the data resides and if special categories of data are part of the equation, is developed.
- NIS Directive: companies providing services to the NHS or operating within the UK’s national infrastructure sectors might be caught by the new directive which has now been transcribed into UK law. Companies need to make sure they ascertain their responsibilities, should this apply to them. For more information you can look at our latest paper or visit the National Cyber Security Centre’s website.
- ePrivacy: although the ePrivacy regulation is currently stalling in the European Parliament, we advise that businesses start to look into the requirements of the proposed legislation to ensure you are ready to start embedding compliance from the get go. – Training and awareness: companies must make sure staff are trained, with regular top-up sessions to ensure ongoing awareness. It is not by chance that 42% of our respondents identified this as a key challenge for the future. It is important to review the preparedness of team members and test them regularly. We always recommend that you bring GDPR and data privacy to life through real cases in order to make it relevant and interesting to employees.
- Data Protection Impact Assessments (DPIAs): All companies we have worked with have produced great processes and procedures to ensure staff are aware of their obligations. It’s now time to ensure that these are fully embedded into business as usual. Furthermore, companies should keep an eye on the regulator (or regulators, if they operate across the EU), as they are specifying what they deem as high risk and require a DPIA to be conducted.
On top of all the above, companies working at an international level need to ensure they follow local developments and pay close attention to data protection authorities at the EU Member State level. This is an important piece of work which will allow businesses to operate in full accordance with the law.
And finally, AI. With AI becoming increasingly more crucial to organisations, close attention needs to be given to the deployment of ‘intelligent’ tools and 38% of our respondents confirmed that they were planning to deploy AI or Machine Learning. In which case, companies must move beyond compliance, and embrace ethics via:
- a multi-stakeholder approach; and
- sound governance aimed at mitigating privacy and bias risks.
It seems that there is always something more to be done, and while no-one said that it would be easy, ensuring you are following data protection best practice is an ongoing and exciting journey. There will be bumps in the road, but those that embrace it fully will be able to gain a competitive advantage, grow their reputation and build consumer trust.