This week, I had the pleasure of communicating GDPR to over 30 accountants, over breakfast.
Now, I recognise that might sound like a potential snooze-fest, particularly after a good breakfast. In fact, it was a really enjoyable event. One, all involved, said had really helped them. Which is great feedback to hear as a speaker (phew!) I was perhaps helped by grey weather outside, but the view (in photo shown) from SushiSamba in Heron Tower, was still pretty good.
Partnering with PracticeWeb, I had the challenge of summarising GDPR into a 45 minutes breakfast briefing.
The potential to understand the impact on your firm certainly appealed, as over 30 guests joined us.
Those of you who have read my previous posts on GDPR will know that there are many impacts to consider. Avoiding a nasty surprise, means thinking broader, than just the “opt-in consent verses legitimate interest” debate. In this talk I provided a high-level overview, of my training on GDPR. So, I’ll share highlights of my talk, in the hope that it helps you too.
How to summarise GDPR for your business
Talking with data leaders recently, it seems many have been set the challenge of educating their business on GDPR. The wording of GDPR also expects the accountability of Data Controllers to include the culture of the organisation. Akin to the FCA fines on firms not embedding Conduct Risk into their culture, I would expect to see the ICO also looking for such systemic evidence.
So, it occurred to me that the challenge I had (for this breakfast briefing) might be equivalent. If you, as a Data or Analytics leader, need to educate your business, I hope this post gives you some pointers on how. How to condense so much information, into a 45 minute presentation that people will remember.
Anyway, here goes and feel free to contact me directly if you’d like more information.
Why people should care
The first agenda point, was to ensure everyone understood what GDPR was & why it mattered. From a history of how we got this regulation, to understanding the goals of the EU in creating it.
Given some negative press and scaremongering around GDPR, some people are surprised to discover we have been here before. Both our existing DPA and the Privacy & Electronic Communications Regulation (PECR), followed EU versions.
But, more important than the history, or explaining the contents of GDPR (which I also did), the key point is impact. Why should businesses care?
The popular answer to that question is, of course, the scale of the potential fines. However, there are other considerations. Given Elizabeth Denham has been at pains to point out that fines will be proportionate, it’s worth thinking about other powers. Under GDPR, the ICO will also have the power to turn up at your premises, audit your data and even revoke your right to use personal data.
But given the growing visibility of ICO fines and the expected media focus on GDPR next year, also consider your reputation. Like the FCA, the ICO is showing signs of going for the ‘naming & shaming‘ way of proving they have ‘teeth‘. Failing to appropriately manage people’s data, could just be your biggest reputational risk.
So, in short, it really matters. To your brand & your bottom line.
Communicating GDPR: 7 principles & 13 concepts
Following establishing the importance of this topic, my next concern was to ensure my guests captured its spirit. What I mean is the intention & themes of this legislation. If, as I advise, firms are to avoid a ‘tick box compliance‘ exercise – it’s important to understand the aim of these new rules.
To help with that I shared what are the 7 overall principles of GDPR. These will replace the 8 principles of our current Data Protection Act (DPA). They include a list of 6 principles, plus one overarching new principle. Together these are very similar to the DPA principles; supporting the argument that GDPR is ‘evolution‘ not ‘revolution‘.
The 6 principles are:
- Lawfulness, Fairness & Transparency (3 for the price of 1)
- Purpose limitation (only use data for the purpose it was given)
- Data minimization (only hold the data needed to do as promised)
- Accuracy (you have responsibility to keep data accurate)
- Storage limitation (don’t store data for longer than needed)
- Integrity & Confidentiality (ensure the security of data held)
Plus, that one overarching principle, the one that has added more teeth to GDPR, compared to current DPA Act:
- Accountability (the data controller is accountable for, and must demonstrate compliance with these 6 principles).
Almost every question I am asked, about specific situations, comes back to applying these principles.
But, in order to understand ‘what good looks like‘ and the evidence the ICO will expect to see, people also need to grasp 13 concepts. These are a purely subjective collection of aspects of GDPR rules that I find are important & relevant for businesses. Simplifying all the content you could cover down to, at most 13, concepts – helps people digest it all.
So, here are the 13 concepts I decided to cover in this talk (and delegates work with, on my training course):
- Personal Data (understanding the broader definition, as well as who is the data subject and the role of pseudonymisation).
- Consent (the “higher bar” of positive opt-in, with specific informed consent, evidenced by unambiguous action).
- Legitimate interests (the hope this gives for marketing existing customers, but the caveats that need to be considered).
- Right to object to profiling (a misleading name, when focus is really on automated decisioning with high-risk impacts).
- Right to object to marketing (including the importance of making clear and explicit how to opt-out whenever they wish).
- Right to be forgotten (covering both the responsibility to inform other controllers/processors & potential solutions).
- Right to data portability (discussing the examples already in utility sector and the model coming from Open Banking).
- Subject Access Requests (why businesses need to prepared for many more, now they are free & should only take 1 month).
- Privacy by Design & Data Protection Impact Assessments (what both expect & how to start changing project processes).
- Data Protection Officer (who needs one & their protected role, on behalf of both organisations & data subjects).
- Record Keeping & 3rd party Contracts (yes paperwork, not only does GDPR cover paper ‘data’ but also requires more records).
- Data Processor liability (no more of the buck sitting only with data controllers, both have responsibility & need due diligence).
- Data Breaches (your responsibility to mitigate risks & notify data subjects, within 72 hours, in plain language, for high-risk cases).
Other topics always arise, including the other bases for storing & using personal data. However, I find that talking your audience through these 10 concepts prompts most relevant examples. This is especially true if you can represent each of the above with a photo, a memorable image.
When giving this talk or training, I also see leaders pause for thought when I remind them we are not just talking about customers. We are talking about personal data held on any person. For instance, too few employers are thinking about the data they hold on their employees. Are you GDPR compliant in data held & your monitoring of staff/colleagues?
Where to start? 4+2 ‘first steps’
One we have covered all that detail, I am starting to feel sorry for my audience. I know it can feel overwhelming. With some many potential threats to consider & so many aspects to investigate.
For that reason, I shared with our breakfast guests, a few tips on getting started. Firstly, despite there still being areas of lack of clarity, it is worth consulting the infographics published by the ICO themselves:
But, given their 12 step plan looks scarily like having to work through my 13 concepts, let me try & simplify. I don’t believe any UK business will be perfectly compliant by May 2018. So, the most important thing now is not to procrastinate and to identify what matters most – so you can start to take action.
I recommend these 4 simple steps to prepare for GDPR:
- Audit all your existing personal data & data processing. This provides a blueprint worth keeping up-to-date.
- Identify and prioritise where you find non-compliant data/processes. Start work on high-risk, but do-able by May 2018, ASAP. Even if only one fix at a time & keep the list.
- Change your project process now, to include Privacy by design and default. Do this through routine Data Protection Impact Assessments. Develop a simple template to produce these.
- Educate your wider business. Empower all your staff to think about how the spirit of GDPR can be implemented in all you do. Akin to the way the FCA looks for cultural embedding of Conduct Risk mitigation.
In addition, to those early steps, I also encourage leaders to see GDPR as a positive opportunity. A chance to develop a better relationship with your customers (and staff), based on trust. As well as the research I have previously shared on this, I recommend 2 more steps:
- Develop a compelling Customer Value Proposition (a reason for people to share their data with you as they want what you can do with it).
- Communicate this and the protections you have implemented, to your customers and employees. Do so simply, transparently and where appropriate, humorously. This video from Alan Carr for Channel 4 is a nice example of what I mean:
How are you communicating GDPR within your business?
Now your business may not be an accountancy practice, but you’d be a rare organisation to not be impacted by GDPR. Other research has shown that more & more marketing/data/analytics leaders are now owning this problem. They are responsible for customer data in their organisation.
If that is you, if you are ‘on the spike‘ for GDPR compliant use of customer data, how is it going? Do the tips above help you?
Any other suggestions for preparing for GDPR? Which events, tools or plans are helping your business?