What does 'good' look like - time for a data healthcheck
There's a little phrase in circulation at the moment - 'post GDPR'. It's comforting to many. Sighs of relief all round the boardroom table: "GDPR day came and went and we didn't get caught - don't know what all the fuss was about".
It’s a reflection on how some see the process of compliance itself – as a box checking exercise, where you pass go if you have enough points collected. This comes unstuck if you don’t know how many boxes there should be in the first place; or if you can’t work out which are the ones that will get you across your self-determined compliance threshold.
Four months on from GDPR-Day, it is already time for a data protection MOT. Looking good on the road does not mean everything is going well under the bonnet.
Trying to convince a risk tolerant board to do this is another matter; they got away with it under the old DPA/Directive so how can you persuade them that this time things are different. Your organisation needs to be honest with itself: is it skipping off to adventures new or barely out of legislative rehab?
Back to our unconvinced Board members - "Who's going to come looking anyway..."
Good question: Well for one thing, governance is now sexy. Data protection, compliance and privacy are one of the fastest growing employment areas across the globe. The ICO themselves have announced an intention to employ 750 staff by 2019 – making them the largest data protection authority in the world. Compliance departments are popping up in legal practices and big consultancy firms; talented data protection professionals are setting up advisory companies of their own. These are, without question or exception, determined and principled professionals.
They aren’t alone either; employees, clients, customers, governments, Generation Z and the soon to arrive Generation Alpha, are all pushing for ethics to form the backbone of corporate and public sector behaviour. It isn’t enough to just nurture the shareholders anymore; digital technology enables every motivated individual to walk with their virtual feet. It has never been easier to turn your back on business practices you don’t like; whether that is by sourcing a solution on the other side of the world or building a community to undertake the task yourself, with funds provided by a multitude of small investors.
Do something that annoys your customers and you’ll find yourself the bad guy on social media; hide something behind apparent compliance and you’ll find a Regulator that is ready and willing to show their teeth; no one really wants to end up as their breakfast. And it isn’t just companies that find themselves under this particular microscope either, whole industries are discovering that lobbying parliaments is of little effect if the customer finds what you are doing to make money is not deserving of their trust.
To get a glimpse of what action taken by your detractors could be like for your business, take a look at recent actions the ICO has taken against organisations.
In some cases, the businesses involved were able to give the Regulator what they believed were appropriate levels of paperwork - long and comprehensive trails in fact - for the processes they were undertaking. Yet they still ended up with eye-watering fines because the Regulator didn't agree with their reasoning, their methods or their ethics.
Imagine how much worse it would be if you couldn't produce the governance goods.
It's no use thinking it's worth taking the hit and then appealing the fine - rather like a parking ticket you get a discount if you pay up on time - take it to tribunal and you automatically lose this. Legal fees are likely to be more than the penalty, could take anything up to 18 months and you might still end up with the fine anyway. Notwithstanding the effect on your business of having all of your energy taken up by legal proceedings and the reputational damage that you will incur.
Remember that happy employees, customers, clients, patients, students etc. rarely complain. The Subject Access Request comes from someone who already has a gripe or a grumble with your organisation. If you don't have the correct processes in place, the records of processing or the information someone knows you should have, you are an easy target for the disgruntled. They are willing you to fail and already have the ICO's number on speed dial. Even more unnerving is that if a trend appears in a particular type of organisation, you could find yourself tarnished by association and part of an industry wide investigation. You absolutely need to have done your homework on this.
Ticking boxes just isn't going to cut it in this new legislative and cultural environment.
Your whole organisation has to embrace a culture that is firmly embedded in good governance. You should already have completed a round of comprehensive, engaging training for everyone in the organisation. You should have established an open culture where people are willing to tell you what they are doing with information and working out whether this can carry on. You need to identify whether you are hiding behind processing agreements that won't hold up to scrutiny; or assumed, but unsupported legal bases for processing (legitimate interests anyone?).
Many people who receive devastating diagnoses say 'I knew there was something not quite right - if only I had checked it out sooner' - the case for checking the health of your data protection practices is similar.
No one ever cried on the way home from hearing that all is well in your world.