Thoughts on the general data protection regulation (GDPR)
The impact of GDPR is ubiquitous in the information management industry right now. It is also the topic of many of the conversations we are having with clients. We recently undertook a piece of research (jointly with our partner Informatica) into the impact of GDPR in the public sector. This has resulted in many follow up conversations and meetings with more to come.
There are a wealth of training courses becoming available too (for example, the IDM’s Award in GDPR online course). As a result, organisations are starting to realise just how far-reaching GDPR is and how much they are going to have to change to comply.
I should state upfront that I am not a GDPR legal expert but some of the areas I have found particularly interesting include:
Subject access requests
Fact: data controllers will no longer be able to charge a fee for processing subject access requests. The implication of this is that they should expect the number of requests to increase – possibly substantially. They will need to have really mapped out where they store personal data and who is accountable for it in order to be able to respond efficiently.
It appears that in many organisations, IT has no idea how many SARs are already received by data controllers or how long they take to answer. One example was a legal team that took 3 weeks of 3 lawyers working 12 hour days in order to answer a SAR. This was because nothing was automated in terms of understanding the data and where it sits/who owns it.
IT often plays no part in assisting to put this information together and therefore is not thinking about how to address it from a systems point of view. Close engagement between IT and the business – supported by the executive team – in the course of preparing for GDPR compliance will be essential. It is the only way to ensure that the people, process AND technology components of this data initiative are closely aligned.
The need to obtain “clear and unambiguous” opt-in consent seems to be reasonably widely understood even if organisations are not sure how they will go about it. What confuses people seems to be when they can use legitimate interest as the basis for processing data, particularly for marketing purposes.
For legitimate interest to even apply there has to be a “relevant and appropriate relationship” eg the data subject has to be a client of the data processor. However there are a number of notable exceptions which include but are not limited to:
- If the organisation is a public sector authority
- If the data subject is a minor
- If the processing in some way infringes the rights of the individual
- IF the data controller has an appropriate relationship with the data subject
- IF none of the exceptions apply
- IF they have told the data subject that they believe they can rely on legitimate interest and…
- IF they have provided an opt-out at the time of data collection
- THEN they may be able to justify postal or phone marketing
BUT, emails and SMS will be subject to the ePrivacy directive which is currently under review in order to align it with the GDPR. The ePrivacy Directive is already a current set of rules pertaining to electronic communications. However, standards of implementation vary widely across the EU states. It will now be a regulation; be very similar across the EU and will be implemented on the same day as the GDPR.
According to the IDM it will have significant changes to the requirements for consent for direct marketing cookies. There are many more details and ramifications coming out and we’ll cover some of this in future blogs!