GDPR governance: how much is enough?

The EU’s General Data Protection Regulation (GDPR) comes into force from 25 May 2018, posing some potentially onerous governance, risk and compliance challenges. Companies’ policies, systems, controls, and training for members of staff must pass muster under the new regime.

How closely companies’ data governance can be policed is moot, particularly because supervisors have finite resources for the job, but what is certain is the authorities have stronger powers to punish those firms that lost data and are deemed to be badly governed.

Hiding breaches will also no longer be an option: GDPR means a firm must notify its data protection authority of any data breach that risks people’s rights and freedoms within 72 hours of the leak.

Again, failure to comply is likely to mean stronger enforcement penalties: failing to meet the 72-hour deadline could mean a penalty of up to 2% of annual worldwide revenue, or €10m, whichever is higher.

With businesses facing constant risk of cyber-attack, hacking of their systems, data losses, lost laptops, insider and outsider frauds – it seems likely there will be plenty of breaches. Better to show some reasonable steps to compliance, then, before something bad happens.

“Demonstrating compliance is generally speaking one way of defending yourself – showing that you have taken steps to comply, such as by doing a data audit to ensure you have the right record keeping in place,” said Sarah Pearce, a partner who focuses on data protection and technology transactions at legal firm Cooley.

It seems many firms remain unaware or naïve about the impact GDPR could have on their business, with lax data governance less of an exception than the norm.

“Most companies don’t police what their employees do with personal data as closely as they should, even under the existing regime,” said Ann Bevitt, a partner and data protection and employment law specialist at Cooley. [In the UK the incumbent regime is the Data Protection Act of 1998.] “GDPR puts heightened regulation on employers relating to employees’ use of personal data.”

Employees keeping client or third-party data on memory sticks, company or personal email accounts, personal or work laptops leads to a potential governance nightmare. What to do?

“It may mean establishing different processes and using different technologies. Companies may need to work remotely in a much more compliant way than they have been,” said Bevitt.

She highlighted the case of UK supermarket chain Morrisons. Disgruntled employee Andrew Skelton posted payroll data of nearly 100,000 staff in 2014 – national insurance, accounts, dates of birth, salary and contact numbers. The civil case was brought by 5,518 current and former staff against the supermarket chain after the criminal case had convicted the individual. The UK’s High Court found the supermarket liable, meaning thousands of staff are in for compensation.

“Morrisons said they did all they could in mitigation,” said Bevitt. “It’s very hard to deal with a rogue employee like that. The court had sympathy but still found Morrisons vicariously liable. The risks are going to be much increased under GDPR and you’re never going to be 100% secure.”

Training is crucial, stresses Pearce. “It’s about training employees what’s okay and what they might be doing is risky. It’s particularly important to look at the way you do it across company,” she said. “That means gearing training internally to different teams. So, the IT teams should have that training about how to treat data securely from the outset - privacy by default needs to be brought home.”

That should be built on top of the generic GDPR training for the whole staff, according to Bevitt, while not forgetting to include those who might not be on the internal lists: interns, contractors or consultants with access to personal data.

“Everyone should have a general awareness of rights and responsibilities,” she said. “Other specific teams needing different training include human resources and service support, who will be on the receiving end, for example, of recognising customer requests for the right to be forgotten, and passing them on appropriately.”

Ultimately, firms’ compliance efforts will be limited by common sense – they need to stay competitive and avoid prohibitive costs. “Reasonable compliance will likely mean to have done all that is possible while remaining commercially sensible,” said Pearce. “But of course, it remains to be seen how the regulators will react.”

With the clock ticking down to 25 May, StrategicRISK has created a section for all things GDPR on the homepage.