The news that Google had received a 50 million euros (£44m) fine for a breach of GDPR made everyone sit up and pay attention. And it is now helping to build awareness within organisations of the importance of achieving compliance. We expect more activity in the months to come: both on the prosecution side and in terms of responses from businesses affected by the ruling.
We have already seen that happen with the Health Insurance Portability and Accountability Act (HIPAA) in the United States. The final regulation was written into law in 2013 but it took some time for businesses to appreciate its impact and its importance. When they did, the impact of the ruling started to snowball. The same is happening now with GDPR.
The Challenge of Compliance
For many businesses, the issue is that there is no standard checklist for officially meeting the GDPR ruling. Organisations must always do their best to comply under the law but unfortunately there aren't any simple tick-box solutions. They won’t know for certain that they are compliant until an auditor comes in, checks their books and officially confirms that they are.
So, when the audit team arrives, businesses need to provide certain documentation required under GDPR. Typically, that will include a policies and procedures document, a data protection impact statement and a risk treatment plan.
At a minimum, those are the key documents that organisations need to put in place in order to make a reasonable attempt to comply with the law, but they will, in all likelihood, require additional evidence of compliance. Doing nothing is not a viable option.
The Role of the DPO
In working towards compliance, a growing number of organisations today are looking at hiring data protection officers (DPOs) or other experts. Whether this is proportionate will depend on the size of the business and whether it makes sense economically to have a DPO on staff or whether it would be better to effectively outsource the privacy officer function to an external organisation.
For GDPR, organisations have to have a privacy officer and it's similar also with HIPAA in the US and with other compliance standards. Time is pressing on these issues. Whether or not the organisation decides to create this new DPO job role and commits to hiring somebody internally, or alternatively decides that it is going to outsource the function, it must above all make a final decision quickly.
Often, discussions on the role of the DPO and privacy officer can create the impression that GDPR is mainly a concern for large enterprises. That’s not the case, of course, small businesses also need to act to address GDPR compliance. After all, they can’t avoid GDPR any more than a large company can.
As time goes by and more cases are prosecuted, more fines and penalties meted out, and press coverage of the issue continues to mount up, small companies will increasingly feel the need to proactively address the regulation. They might not have to comply in exactly the same way as a large corporation. They may not have to put a retinal scanner on the data servers that hold privacy information, for example, but they will have to do something to make sure that sensitive data is locked down with dead bolts or implement some other apparatus to secure the data centre.
Making the Case
Given the work and planning that organisations need to undertake to comply with GDPR, it is worth highlighting that there is a strong rationale behind its implementation. I believe that the consumer owns his or her personal information and has a right not only to protect that information, but to determine when and how it's used; who gets access; whether it should be deleted, or even if it's removed from the service provider's database.
I believe that's the responsibility of the owner of that information: the consumer. Under GDPR, the consumer has a right to be forgotten. That’s not something that is fully enshrined in US law currently. But in the EU, if you want to eliminate your records from a service provider's database, you have that right.
The US is heading for a grand type of GDPR overarching privacy law. It may not happen in the first six months of 2019, it may not even happen in 2019 at all, but we are heading in that direction as demonstrated by the recent law that was enacted in California, the Consumer Privacy Act. It's not exactly the same as GDPR, but it's similar, and is designed to protect the consumer and give the consumer rights that in the US that have not been fully acknowledged for many years.
It is clear today that we are seeing a general move towards a greater focus on protecting consumer privacy. Organisations need to wake up to that growing call and ensure they are doing all they can to comply with the regulations that apply to them in the markets in which they operate.