GDPR: barristers-at-law debunk five legal myths
With GDPR coming into full force this month, all organisations involved in handling data, including not for profits and charities, are under unprecedented pressure to comply with this new regulatory landscape.
But, according to Barristers at Law, Quentin Hunt and Dean Armstrong QC (co-author of Cyber Security Law and Practice), even those organisations who consider themselves to be up to speed remain at serious risk of falling foul.
Recent research by Capgemini has identified that, in the UK alone, 45% of organisations are not yet fully compliant or ready for the changes, and 15% have made thee bold statement that GDPR does not constitute a priority for them. Overall, the research suggests that 85% of organisations across the US and Europe will fail to be fully prepared for compliance by the looming deadline.
Hunt and Armstrong’s combined experience across the cyber security and GDPR landscape corroborates this view and has highlighted the fact that even organisations who think they are prepared are typically labouring under several key misunderstandings of what GDPR really means. So, the two barristers have come together to lay out the five most common misconceptions and offer practical tools to allow organisations to test their readiness.
The top five myths
Myth 1: GDPR compliance is a black and white business
According to Hunt and Armstrong, one of the biggest legal complications with understanding GDPR is that this is not a rule-based piece of regulation. “When you’re dealing with something like the EU’s Markets in Financial Instruments Directive (MiFID), or driving at 35 miles per hour (mph) in a 30mph zone, the parameters of the law are clear cut and there is little need for interpretation,” says Hunt. “GDPR, on the other hand, is a principle-based regulation. Compliance is assessed in accordance with designated principles, such as whether ‘effective’ consent has been obtained by the data owner and whether that data is considered to be ‘current’. Should an investigation arise, such judgements would be at the discretion of the Information Commissioner’s Office (ICO) and would involve a legally-based assessment.
So, it’s easy to see how organisations who might consider they’re on top of GDPR may in reality be at risk of being found to be non-compliant.”
Myth 2: GDPR fines are just an operational cost
GDPR fines are at a level never seen before in data protection. The extent of these financial penalties have the potential to destroy an organisation – and NFPs are particularly vulnerable, given their typically tight and stringent cash flow scenarios, Hunt and Armstrong warn. Certain infringements have the potential to incur fines of up to €20 million or 4% of worldwide annual turnover – whichever is higher. The nature, gravity and length of the infringement, number of people affected, and any mitigating action, will all affect the level of fine. Plus, there’s the reputational damage to consider. If severe, a breach could impact massively on organisational reputation and donor loyalty as well as on financial reserves – the most serious of scenarios, given the charity sector’s dependence on these factors for survival.
Advertisement
Myth 3: GDPR is an EU matter
If your organisation depends on fundraising amongst – or trading with – EU citizens, then you will still need to adopt data protection regulation that is as rigorous as GDPR, or more so. Hunt and Armstrong point out that anyone wanting to access the EU market has three paths open to them:
a. One option follows the Norwegian route and involves joining the European Economic Area, which requires that non-EU countries implement rules and procedures that are equivalent to those in the EU.
b. In the case of bilateral trade deals with the EU, these typically result in the non-EU country having to agree to apply laws that are at least as demanding at EU legislation. This is the route Switzerland has taken. In both these instances, non-EU countries would have to adopt data protection regulations that are as strict as GDPR.
c. It is possible for a non-EU country to maintain independent trade deals without taking on the burden of equivalent obligations, but in this instance GDPR will still require ‘adequate’ protection to be put in place in order to allow EU members to pass information to the non-EU country.
The core message is vital: if your organisation is offering goods or services to EU citizens, fundraising amongst them, or monitoring their behaviour, then GDPR will still apply to you, regardless of your own organisation’s location.
Myth Four: The compliance team bears full responsibility for GDPR
Hunt and Armstrong are keen to emphasize that GDPR is something that every NFP executive must fully understand and be on top of. “At the regulation’s core is the sanctity of personal data,” says Hunt. “This is centred on the notion that personal data belongs to the individual and that organisations are mere custodians. It represents a fundamental change in the way that every organisation uses, manages and protects data – and ignorance or buck-passing will be no defence at all. Make no mistake, it is absolutely the responsibility of both the executive leadership and the Board of Trustees to ensure that your team understands what GDPR means for their job and for your charity.”
Myth Five: Technology is a panacea
In Hunt and Armstrong’s experience, many organisations are still wrongly assuming that GDPR is all about the data hack, and that beefing up cyber security measures provides all the answers. But compliance by design and default is the GDPR mantra – therefore by definition technology can only solve part of the problem.
In the case of, for example, a breach caused by someone leaving confidential papers in a taxi, there’s nothing technology can do to prevent that. What’s more, the two Barristers note, GDPR also forbids reliance on automated decision making. Technology has a role to play in GDPR, but there is also a crucial role for human judgement and the ability to reverse a decision. Technology should only ever act as the supporting role of bespoke expert advice in this area.
Five steps to take right now
The enforcement deadline is now upon us – so if you are even slightly concerned, Hunt and Armstrong’s initial advice is to consider the following questions to establish your organisations’ fitness to meet the regulations.
1. Regularly review your data, including the type you are collecting. Ask yourself:
a. Can any of this data be anonymised?
b. Where is the data going?
2. Review your processes for data breach notification, security and risk assessment.
3. Check your contracts – do you need to conduct a data protection impact assessment?
4. If you are a data controller, review your relationships with data processors.
5. Train your workforce. As mentioned, it is not enough to rely on your compliance or technical teams. Consider the following questions:
a. Do you need to hire a data protection officer?
b. Do you have adequate processes in place should employees have to handle a serious data breach?
c. Are your contracts – with staff and subcontractors – GDPR compliant?
d. Have you given your employees the correct information?
“There is still time to make an initial and informed assessment of your compliance with GDPR,” says Hunt. “But, with so many misconceptions remaining rife, and with so much at stake if you fail to comply, it’s vital that you honestly assess these areas immediately and seek advice in any areas that are unclear.
You can also head over online to take the GDPR quiz, to quickly establish what level of risk you are at and how to proceed.
Hunt and Armstrong can be reached directly at Quentin Hunt’s criminal defence website.
Quentin Hunt and Dean Armstrong QC are both Barristers-at-Law at 2 Bedford Row Chambers, working closely together in litigation and advisory matters encompassing Data Protection, Compliance and the Criminal Law. They advise clients in all aspects of Data Compliance and GDPR compliance, with a special perspective from their combined Criminal Law and Litigation experience. Dean has recently co-authored Cyber Security – Law and Practice.