Beware 'fake news' on GDPR, warns compliance lawyer Jonathan Armstrong

Many companies have a false sense of security around compliance, warn industry insiders

Understandably, given that it is a 200-page document of fairly dense legalese, many people are a little fuzzy on the details of the EU General Data Protection Regulation (GDPR) which comes into force across the EU in May 2018.

The GDPR lays out some pretty clear rules about the treatment of personal data and provides the authorities with some big sticks with which to punish transgressors, including a maximum fine of E20 million or four per cent of global turnover, whichever is the larger. Those seeking comfort from the fact of Brexit should note that the GDPR is likely to be adopted with few changes by the UK too.

The GDPR's requirements may be clearer than the legislation it replaces, but the practicalities of how to comply with them are not, particularly in areas such as the right to be forgotten, and the relationships between processors and owners of data.

Companies need to get to grips with the forthcoming law, and not just their legal departments. Board members and IT leaders ought to do the same, according to Jonathan Armstrong, partner at law firm Cordery which specialises in compliance. At present, their understanding is lacking.

"I think it is no wonder then that IT teams are so confused when there is so much ‘fake news' about GDPR around," he said. "GDPR is a big document and unfortunately a lot of the notes produced by vendors have been simply wrong - for example getting the level of fine wrong, the time to report a breach and the technical measures needed."

The high level of fines and the implications for company reputations make it imperative that the CEO understands the reality of the GDPR rather than basing their knowledge on second-hand information, he went on: "Customers will expect the management to take a lead as will investors. The CEO will need to clearly understand the implications and fines that would arise from a failure to meet the regulations."

Steve Maltby, sales director at channel cloud services partner ORIIUM, said it's the CEO's responsibility to ensure that best practice is followed throughout the organisation.

"Managing risk is a cross-organisational responsibility, meaning that CEOs and business leaders must bring their teams together to drive policy from the top down," Maltby said, adding that it is vital that compliance initiatives enjoy support at the highest level.

To counter misinformation about the GDPR Jaspreet Singh, CEO of cloud information management firm Druva, said firms should head to the Information Commissioner's Office website for advice.

"The ICO guidance is in very plain English and understandable for everyone," he said.

Target marketing?

There may be holes in the understanding of the law by IT and the board, but the knowledge gap may be at its most significant in marketing. Not only do they use a lot of personal data, but marketers are also big users of cloud-based CRM services.

"Marketing departments are focused on getting value out of data, but not looking at the wider information management lifecycle. The focus is on looking forwards," said Singh.

Darron Gibbard, chief technical security officer at security vendor Qualys, agreed. "Many marketing teams don't think about data security right now. This will have to change, both for internally hosted data and for any information held within cloud apps," he said.

The cloud companies themselves will increasingly differentiate themselves on the basis of compliance, but it will generally fall to the IT department to ensure that line-of-business departments are taking the right steps. They will need to push through data governance measures, possibly in the face of some resistance as it may make marketers' jobs more difficult in the short term.

Tackling shadow IT also attains new importance in the light of GDPR. Cloud-based storage is very useful for flexible workforces who use multiple devices, but it makes compliance with data protection rules that much more difficult.

"Not knowing won't be a defence," warned Singh.

Maltby added: "IT teams should be able to implement solutions that ensure mobile devices are encrypted and that data is managed appropriately including protection, access rights, reporting and auditing."

Contingency funds

Given the importance of GDPR, should compliance be itemised in the IT budget? This will depend on the nature of the business and the effort needed to bring systems into line before May 2018, but Gibbard fears that IT leaders may be underestimating the task ahead.

"Many CIOs are currently planning on this being a ‘standard' compliance activity that would last about six months. This is not enough time to carry out the full data audit and get processes up to date," he said. "CIOs will have to either look at how to convince other departments that they need to spend money on this, or make the case to the board for additional budget. Neither of these are nice conversations to have."

Making GDPR compliance a line item in the budget would focus minds and give CIOs achieve the support they need from the business he added.

Cordery's Armstrong agrees that the task will be bigger than many think.

"The mistake many businesses make is that they do a gap analysis between the existing law and the requirements under the GDPR. In most cases this is a mistake because they don't comply with the existing law," he said.

GDPR is not the only data protection legislation coming down the road. The new ePrivacy Directive, which will likely change the way cookies can be used, arrives around the same time. CIOs are advised to review the requirements for themselves and not rely on second-hand information.