With a mammoth GDPR fine handed out to Google last week, it’s time for organisations to reassess their understanding of the Regulation.
We’re through the eye of the GDPR (General Data Protection Regulation) storm. May 2018 brought a whirlwind of panic as organisations rushed to meet the compliance deadline, but it was followed by months of unnerving silence. Organisations waited for signs of this ‘game-changing’ regulation, but the only GDPR-related news were stories of industry experts promising that fines were coming and warning people to stay vigilant.
Some began to lose faith. “It’s Y2K all over again”; a big fuss over nothing. As 2018 drew to a close, a few small fines were levied in Austria, France, Portugal and Germany. But it wasn’t until Google was slapped with a €50 million (about £43 million) penalty that people started to wake up to the reality that the GDPR is real, and it is spectacular.
The landmark ruling has created a new sense of urgency, with organisations realising that failing to comply with the GDPR can have serious consequences. In this blog, we recap the essentials of compliance, explaining how the Regulation works, who it applies to and how you can avoid the same mistakes that Google made.
Data protection under the GDPR looks like this: there are data subjects (that’s individuals like you and me), and we own our own personal data. The GDPR considers personal data to be anything that identifies, or can be used to identify, a living person, such as your name, National Insurance number or email address (personal or work).
Things get a little more complicated when you factor in that each piece of information doesn’t have to be taken on its own. Organisations typically collect and store multiple pieces of information on data subjects, and the amassed information can be considered personal data if it can be pieced together to identify an individual. Think of it like a massive game of Guess Who?
Who needs to pay attention?
The GDPR provides EU residents with eight data subject rights, and everybody needs to be aware of them to make sure that organisations are collecting our data legally. Google was fined, in part, because it violated the right to be informed. Under this right, organisations must provide a clear and easily accessible explanation of what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with third parties.
If data subjects think any of their rights are being infringed, they are entitled to submit a DSAR (data subject access request). This can either be in writing or during conversation. You don’t have to use the words “data subject access request”; you can, for instance, simply say “I’d like to see what personal data you have on me”.
From an organisation’s perspective, it’s essential that employees who deal with customers are aware of this right and know what to do. They might have the ability to pull up records immediately, or they might need to direct the data subject’s request to their manager.
There are two types of scope that organisations need to be aware of: territorial and material.
Territorial scope refers to where the data is coming from. The GDPR applies to any organisation that collects the personal data of individuals within the EU or provides services into the Union.
Material scope refers to the type of information that’s being collected. The GDPR concerns personal data that is:
- Collected in an enterprise context; and
- Processed wholly or partly by automated means, or that is part of (or is meant to be part of) a filing system.
Before the GDPR, most organisations relied on consent to collect individuals’ data because it was straightforward. They included a tick box (often pre-ticked) on a form that asked individuals to agree to the organisation’s processing activities, and the individual wouldn’t be able to proceed unless the box was checked.
The GDPR makes the consent process much harder, encouraging organisations to use one of the five other lawful bases for data processing:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
- Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
- Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
- A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as schools and other educational institutions, government departments, hospitals and the police.
- Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms. Note that, if relying on legitimate interests, organisations should provide data subjects with an easy way of opting out.
It’s a data controller’s decision to determine the lawful basis of processing – processors act under direction from a controller, and aren’t allowed to process data unless they have a contract from a controller.
Whatever basis a controller uses, it must document it and make it available to data subjects. This is the second way in which Google violated the GDPR. In 2018, after consumer agencies in seven EU member states filed complaints against Google, the European Consumer Organisation said:
Google collects users’ location data notably through the features ‘location history’ and ‘web & app activity’, which are integrated into all Google user accounts.
The company uses various tricks and practices to ensure users have these features enabled and does not give them straightforward information about what this effectively entails.
France’s data protection regulator, the CNIL, investigated the claims, and concluded that Google hadn’t sufficiently explained the purposes for collecting data.
Did Google suffer a data breach?
One of the main purposes of the GDPR is to ensure that organisations follow best practices to prevent data breaches, but that’s not all it does.
Google didn’t suffer a personal data breach (an incident that compromises the confidentiality, integrity and/or availability of data). However, it did violate the rights of data subjects, which brings us to the second purpose of the GDPR: giving individuals more control over the way their personal information is used.
Organisations can’t therefore simply shrug off their GDPR compliance requirements by saying they won’t be targeted by cyber attacks. For one, that’s not true: cyber crooks usually seek out specific vulnerabilities rather than organisations, meaning that anyone is a potential target (and with cyber crime rising rapidly, your chances of avoiding an attack are shrinking).
Second, organisations must be able to demonstrate their commitment to data privacy in order to keep customers’ business. The GDPR is, in many respects, consumer-led; the investigation into Google was sparked by customer complaints, and the UK’s supervisory authority, the ICO (Information Commissioner’s Office), has reported a 15% increase in data protection complaints and a 5% increase in freedom of information requests since the Regulation took effect.
It’s possible – probable, in fact – that the rise in customers’ complaints actually correlates with organisations improving their security and privacy measures. After all, the increase in complaints doesn’t necessarily mean organisations are worse at protecting data – only that people are more aware of their rights and the importance of information security. They are better equipped to spot when organisations are doing something wrong, and know who to talk to about it.
Commit to privacy and transparency
Over the coming years, organisations will benefit hugely from a commitment to customers’ data subject rights. The ability to prevent data breaches will obviously always be vital, but the threat landscape is changing. Individuals are starting to accept that even if the organisation has followed best practices, breaches can still occur. This will become more ingrained as regulators decline to penalise organisations that were breached due to bad luck rather than negligence.
There are no such excuses when it comes to privacy and transparency. They are organisational processes with clear rules, which should always be considered when processing information. Meeting those rules takes careful planning, but it’s a small price to pay to gain stakeholders’ trust and continued business.
How can IT Governance help?
IT Governance is your one-stop shop for information security and regulatory compliance. Our range of books, toolkits, training courses, staff awareness solutions and consultancy services can help you with whatever you’re looking for, and our blog helps you stay informed of the latest industry news and advice.