The way we use and share data has changed in ways we could have never imagined since the original Data Protection Act 1998. Given these changes the time was definitely right for legislators to update the legal framework by introducing the General Data Protection Regulations (GDPRs) to provide better protection for individuals in relation to their personal data – but ensuring full compliance with GDPR can be challenging and can entail a significant volume of work.
As Data Protection Officer for several of our clients we often find that whilst businesses demonstrate a good awareness of the obligations imposed by GDPR which was rolled out on 25 May 2018, they tend to question its rationale. Many perceive the time and effort required to avoid risking exposure to the increased fines (the higher of 4% of turnover or €20million) as a drain on their resources and an unnecessary burden.
We thought it might be helpful to use a simple analogy that businesses can hopefully relate to, to try to explain the imposition of those complex requirements…
It’s long been recognised that personal data has a value for those it belongs to and for those who have access to it, indeed many consider data to be the ‘gold’ of the digital age, so for the purposes of this example instead of using an abstract document or an email to illustrate the rationale behind GDPR, we are using cold hard cash!
Assume therefore that you have a sum of money – for argument’s sake let’s say £1K- and you are going to give that sum in cash to a custodian (a friend) for them to safeguard – what conditions might you think it reasonable to impose on custodian?
• You might expect them to be open about where they intend to keep the money, what they will do with it and who else will have access to it;
• You might expect them to store the money securely for example by keeping it in their house, rather than in their pockets or handbag, and perhaps by alarming the house or even keeping it in a safe;
• You might expect them to tell you if they give the money to someone else and if they do, they should impose the same storage conditions on that third party as they have agreed with you;
• If they are burgled and your money is stolen, you would expect them to tell you in a timely manner – similarly if they lose your money;
• If you have agreed that they can use the money for a particular purpose whilst they are the custodian, for example investing in shares or for a charitable donation, you would not expect them to spend the money on a holiday for themselves;
• If you need or want your money back at any time, you would expect them to be able to facilitate this within a reasonable timeframe.
How would this approach differ if the sum was £100K or even £1M in cash? You might expect your friend to take additional measures to those you would expect for £1K… that’s the subject of another blog for another day though!
If we revert back to placing our personal data with the custodian (GDPRs call the custodian the data controller) rather than our cash, the above example hopefully illustrates the importance of ensuring that appropriate safeguards are put in place to help build trust and confidence in how organisations look after and make use of our personal data.
The reason that data protection can be so exasperating and difficult for many businesses is because the law places a lot of the onus on the custodians (data controllers) to decide when the “cash/ personal data” is at risk and to take “appropriate measures” to manage the that risk. In some instances the law goes a little further to say if you are a custodian/data controller, there are some things you must do (e.g. notify certain security breaches within 3 days of becoming aware, or take certain measures regarding marketing data or where you are involved in “high risk” processing). However, in other cases, it’s less clear and so you will need to decide what “appropriate measures” are necessary.
We hope that the analogy we have used goes some way toward debunking the myth that GDPR creates yet another completely unnecessary compliance burden for small businesses to address and that it should be embraced as a positive step towards protecting the privacy rights of individuals in our increasingly digitalised world.
If you need any advice or assistance with your privacy program or your compliance journey, please contact Alison or Tracey at Lawpoint for a chat. S