By Steven Vermeulen, Belgium, Sheila Pancholi, UK, Rien Hommes, Netherlands, and Terry McAdam, Ireland
WHAT HAS THE IMPACT BEEN ON MIDDLE MARKET BUSINESSES IN THE AFTERMATH OF ‘STORM GDPR’?
As the General Data Protection Regulation came into force, Sheila Pancholi, a risk advisory partner in the UK witnessed many middle market organisations leaving preparations for GDPR compliance very late into 2017 and early 2018. This resulted in last minute panics and trouble sourcing professional support externally as the market demand for specialist support became oversubscribed. Given the complex nature of the GDPR and the fact that this was a completely new regime of data protection regulation, it was difficult for any organisation to confidently say that they were ‘ready’ or ‘compliant’ by the 25 May 2018 deadline.
Rien Hommes, a risk advisory partner in the Netherlands concurred, saying “In fact, when the regulation came into force in the Netherlands, almost no businesses were fully GDPR-ready.” He went on to say that “…there were many programmes initiated to take stock of what still needed to be done. This always turned out to be more than what had initially been estimated.” According to Hommes, the reasons behind the lack of preparation were that multiple skills and experience were needed. This included skills such as, legal knowledge, IT skills and organisational expertise. Ultimately, this meant that, generally speaking, solutions have not proved to be as simple as was originally estimated. One year after the introduction of the GDPR, Hommes advised, “we are gradually seeing the dust fall from the first implementation”.
In Ireland, the level of readiness for GDPR varied hugely, particularly at the point when the new regulation became effective. Terry McAdam, an RSM partner in Ireland observed, “Many businesses in healthcare and financial service sectors invested significant funds and time to become as compliant as practically possible.” However, McAdam went on to say that “…many middle market organisations were much less prepared as GDPR came into force on 25 May 2018, as were some public sector bodies”. This scenario resulted in huge demand for relevant services in the early summer of 2018. Interestingly, the storm has barely passed, as this position in Ireland has been sustained for much of 2019. According to McAdam and his team, they are still being to be asked to help various small, medium and large sized businesses in the middle-market to boost their compliance with the new data protection standard or respond to customer and employee queries. They are also seeing an increase in appetite from those who already have a compliance regime established, to having its operation reviewed, particularly in light of trends emerging regarding data protection practices, now that the GDPR has been in situ for one year.
While Ireland saw an increase on enhancing data protection practices and preparing for the future, Belgium tells a different story altogether. Steven Vermeulen noted that although there was a lot of hype as the General Data Protection Regulation came into force, the commission in Belgium has been unable to source enough skilled data protection professionals to conduct the necessary checks on businesses. The result is that only a few checks have been completed and there have been no fines to date in Belgium. The knock-on effect of this has meant that there is now a falling interest in the GDPR. In fact, Vermuelen went on to say that “everyone is now fed up with the word G'DPR'”.
However, despite the negative connotations that the acronym has had, Vermeulen also acknowledged that there is an increased interest in data protection. Until businesses take the impact on IT technology and their systems seriously, there will not be the shift needed to ensure that they will meet the requirements of the GDPR. With a new Chairman appointed to the commission, once it is operating as it should, there is likely to be another revival of interest by the end of 2019.
“All too often businesses decline a full vulnerability scan, in fear of what might be found” – Steven Vermeulen
THE MOST CHALLENGING GDPR PRINCIPLES FOR BUSINESSES
In the UK, Sheila Pancholi has observed that businesses that hold large volumes of personal data and share this readily with other third parties find establishing these principles difficult. Undertaking personal data discovery and determining what data can be stored and for how long has been time consuming and complex for many businesses. Another factor has also been due to significant changes to the data controller and data processor responsibilities. Identifying third parties with whom personal data is shared and the controls employed by the third parties has also been challenging. Establishing new contractual terms takes time, specialist legal input and co-operation from all parties. For many middle market businesses in the UK, this has been a costly and cumbersome exercise.
How to work with third party suppliers has also been a key challenge in the Netherlands. Hommes states, “Many businesses I have worked with in the past year have experienced problems with the responsibility for privacy in the chain with their business partners.” The reason behind this is that many suppliers sent their clients a processing contract in order to minimise their responsibility for privacy. Hommes notes, “Controllers found it difficult to bear this responsibility, especially if there was a data leak occurring with their supply chain partners, which would mean the need to have to report this to the authorities and stakeholders.”
In Ireland, many businesses in the middle market continue to regularly revise and update the content of their privacy statements whether on the web or within printed collateral. According to Terry McAdam. “They are finding it really challenging to define their data handling practices in a transparent yet concise way and frequently reach out for support.” This position appears to be exacerbated when they find themselves managing personal data for a variety of differing purposes and particularly when sharing such data with third parties.
The public sector in Ireland has faced a number of issues when seeking to become compliant with the updated data protection regime. The sheer extent of their historical hard copy records, mean they rarely have confidence that they have uncovered all the personal data under their control whilst the scale of their service user base makes the management of consent nigh on impossible without the deployment of self-service technologies.
For businesses in Belgium, the biggest challenge continues to be how to detect data breaches. With the GDPR, there is an obligation to notify authorities within 72 hours, however in reality, detecting a breach can take much longer. The remedy for this is to undertake an IT audit, but Vermeulen is seeing that, “all too often, businesses decline a full vulnerability scan, in fear of what might be found”. Businesses are commonly opting for a light vulnerability scan, afraid their systems will go down, but leaving them more exposed to risk of a cyberbreach and potential loss of data. There is a certain irony in that if these businesses chose to conduct a full vulnerability scan, this would provide a clear set of actions of what should be done to secure IT systems to de-risk a data breach. Moreover, this would add the benefit of being able to demonstrate all efforts have been made to comply with the GDPR in the event of a breach.
GDPR AND FINDING OPPORTUNITY IN CHANGE
In the Netherlands, Hommes observed, “The GDPR is generally seen as yet another administrative burden. However, we often see that setting up a process properly also provides clarity and can also make a process much clearer. I have seen the amount of polluted data decrease dramatically at the clients where we implemented process improvements.”
From a UK perspective, Pancholi is pragmatic, saying, “With the increase in digital channels, connectivity and cybercrime, data privacy was long becoming an issue well before GDPR came into force in May 2018”. The GDPR has simply reinforced and strengthened the rules.
Good data governance requires effective alignment between people, process and technology. Under the GDPR this includes:
- Policies and procedures for managing data handling, security, protection and retention
- Regular user education and awareness including induction and refresher training for staff at all levels throughout the organisation
- Systems that will support data security, the segregation of duties, protective marking, data storage and retention processes
In Ireland, McAdam believes the advent of the GDPR in Ireland has been a catalyst for many organisations to critically review all the data they hold and their rationale for doing so. This has led to projects being commissioned to reduce, in a controlled manner, the volume of data (not just personal data) held, whilst ensuring the quality of the data retained is enhanced. As a result, better customer service is enabled, and the data presented to decision-makers is more reliable. “We are also seeing renewed interest in projects centred around record management and the marketplace benefits accruing to entities from attaining accreditation in this area,”McAdam advises.
For Belgium, there is now some apathy in talking about the GDPR. However, Vermeulen has found and stated, “If you tell them about data protection they are interested”. Essentially, it is the same thing.
Off the back of the GDPR coming into force, businesses in Belgium are increasingly interested in ISO 27001, an international security standard that provides requirements for implementing, maintaining and enhancing an information security management system (ISMS). A framework of policies and procedures, ISMS includes legal, physical and technical controls involved in an organisation’s IT risk management.
WHAT IS ON THE HORIZON FOR DATA PROTECTION?
Ultimately, the sooner you address emerging data privacy laws and regulations, the better case your organisation can make when taking data privacy seriously, even if you’ve not yet fully completed your compliance programme. Like it or not, the GDPR is here to stay and has initiated somewhat of a global trend in countries across the world tightening their data privacy laws.
However, it’s not just personal data that needs safeguarding, the commercially sensitive data that underpins our core business operations and services is equally valuable. Ensuring your employees, customers, suppliers and partners can trust you to conduct business with them, could be defined by your ability to demonstrate good data governance and privacy.
New European regulations requiring the certification of products with a security component have recently come into force. This forces suppliers to implement privacy by design solutions. The privacy regulations will integrate with higher security standards. Ultimately, this will lead to better and safer products and solutions.
Those organisations who have invested significant sums to maximise compliance with the updated data protection regulations are keen to exhibit their efforts to their customers and employees. They wish to be positively differentiated from their peers based on the importance they attach to protecting the personal data of individuals. Given this mindset, there is growing interest, from such entities in the emerging codes of conduct which can give both recognition to their ongoing compliance efforts and comfort to their customers. In the short-term, whilst these benchmarks continue to take shape, many organisations are addressing the void by retaining advisers to conduct independent audits of their compliance with the prevailing data protection legislation.
“One of the reasons for the uplift of interest in ISO 27001 may be that when businesses are pitching for work or acting as third-party suppliers, increasingly they are being asked to demonstrate compliance with this standard," Vermeulen asserts.
For more information on the GDPR legislation, and advice on any relevant GDPR training, please contact us.