Sunday, 29 January 2017

What (currently ignored) privacy area might result in early enforcement action when the GDPR is in force?

We have 480 days to go before the General Data Protection Regulation is “in force”.

And then what?

That's the question I’m being increasingly asked these days.

Does it really mean that in 481 days, European privacy regulators will be heralding the first megafine for non-compliance with one of the GDPR’s more obscure requirements?

I think not.

But it will undoubtedly lead to greater unease amongst the audit committees of many firms, particularly those in the (regulated) financial services sector, who will note, from the data protection compliance reports that have been commissioned, the difficulties that are being encountered in ensuring that sufficient evidence is available to demonstrate how the organisation complies with the GDPR.

Many of the organisations I’m currently working with are still trying to understand just what it is that they are supposed to be complying with. And also, what standard of evidence is necessary to be generated, just in case privacy regulators exercise their Article 30(4) right to request it.

Each professional consulting firm I’ve come across carries out data protection audits / health checks in different ways. And, in assessing data controllers through different privacy prisms, I’m confident that some organisations might well “pass” a privacy review that was carried out by one consulting firm, yet “fail” the review that was carried out by another firm. Why? Because the other firm had decided to focus on some obscure GDPR issues that the original firm didn’t think were particularly relevant.   

Does this matter?

Well, it would if it led to the organisation performing poorly in a review that was carried out by a national privacy regulator.

So, what should be done to reduce the likelihood of such an event?

In the UK, the ICO has provided organisations with a great deal of guidance as to precisely what controls they would expect to see in place and operating effectively. I don’t see this degree of guidance readily available in other EU countries. I have not had an opportunity to review all the webpages of each national data protection supervisory authority, but my cursory checks have certainly not unearthed the level of detail that has been published by the ICO. Perhaps this will be a task for the Data Protection Board.

But, in the short term, what new areas of non-compliance might European privacy regulators focus on?

If I were a privacy regulator, I would focus on records management and, in particular, the greatly ignored area of records retention. So many organisations find it hard to develop, let alone implement, comprehensive records retention policies. Are they in for an unwelcome surprise? The GDPR is (apparently) going to require data controllers to be more transparent about their records retention policies.

The potential fine for not informing individuals, as their personal data is being collected, about retention periods is of course significant. But do (even) regulators take the issue of data retention that seriously?  Outside the communications sector, how much interest, or formal enforcement action, has ever been taken against data controllers with regard to breaches of the Fifth Data Protection Principle?

I’m not aware of many cases. Over retention may have been an aggravating factor when the ICO considered the level of a fine for some incidents involving security breaches, but there are very few recorded cases of enforcement action being taken just because a data controller retained data for longer than the regulator considered necessary.

Perhaps this will change.

But, since most data controllers have paid no more than lip service to the difficult issue of the period for which the personal data will be stored, I doubt that many currently feel that the ICO’s attitude will change significantly in 480 days time.