Peter Rosenwald believes that, when it comes to data protection regulations, if you think compliance is expensive, try non compliance.
The General Data Protection Regulation (GDPR) was announced on 15 December 2015 and should be part of UK law this summer, with compliance by spring 2018. There are changes in the regulation however the biggest change for most professional practices is that the teeth and claws of the Information Commissioners Office (ICO) are out, with the professions in its sight. There is also a zeitgeist around personal data, putting it at the forefront of the trust relationship between practice and clientele. The next two years is a fabulous opportunity to build trust, not lose it.
In 2018, data, you hold on a data subject (identifiable person) must be ‘forgotten’ unless you can prove the data falls under one of six qualifying criteria. For marketing purposes meeting the requirements of either, legitimate interest or opt-in, will allow you to process the data and communicate with people. If not; Prospects… deleted, referrers… deleted, Outlook contacts… deleted, ex-clients all gone and Excel lists and more hiding away in dark corners will continue to breach the law. According to many, IT departments will take up to a year to get the processes in place and then another two to three years to get prospects opted-in (the preferred route). The time for action is now. As Chris Evans (Radio 2) neatly put it, “time flies and we are the pilot”
Professional practices have on the whole poor or non-existent CRM with little understanding of what data lurks in the practice and what processes need to be in place. A client recently stated in pre-audit documentation that they shared data with one external agency, the truth was 12! Our conclusion is that you should buy in compliance audits, create a Gap Analysis and a Programme for Compliance. It’s inevitable for most practices, time is short you need to get on with it.
A 40 partner practice recently (over four months) cleaned, de-duped, emailed for opt-in, uploaded to their CRM and deleted from Outlook and little black books all the partners contacts.
What change has the GDPR brought?
Data protection regulation was behind the curve and the majority of professional practices toddled along slightly further behind, with multiple unpoliced breaches tucked away in Excel spreadsheets, badly managed CRM, personal comments littering contacts and client records and virtually no opt-in. The GDPR is a huge step forward, written with the language of IT subsumed within the text with an understanding that data and IT (big data, apps, social media, etc) are the ecosystem in which business now works. But all paying homage to the right of the individual to be in control of their data.
– Huge fines. Up to 4% of last years’ worldwide turnover for serious and 2% for less serious breaches or £20m whichever is the higher. This is a vast step forward.
– The Regulators are also calling for custodial sentences
- You may need to employ a named DPO
- Consent has tightened with the consumer at the heart.
- No longer will a consent last ‘forever’ they will be like time bombs which will self-destruct after a period of time (we believe 24 months).
- To be ‘safe’ consent needs to be given explicitly and be informed consent and so consent wording is crucial as is being able to prove consent was given.
- A ‘right to be forgotten’: When an individual no longer wants her/his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted.
- Data portability: An individual will have a right to ask YOU to transfer their data to another accountant/ lawyer
- Easier access to one’s data: More information on how their data is processed and used, and a free right of access to it
- The processor’s responsibilities have jumped – data processors are now equally responsible for the safety of personal information in their care and they can no longer pass the buck to the data controller.
- The controller can no longer turn a blind eye to the supply chain
– Due diligence on how supplier use, process and keep data safe is mandatory.
– The illegality of the Safe Harbour scheme means companies using suppliers and processors outside of the EEA is now fraught with danger.
- Requirement for prompt breach notifications within 72 hours
Professional practices in the spotlight – Naming and shaming from the ICO website
A company was fined £90,000 for making unsolicited marketing calls to sell… cold call blocking devices! The Poole-based company was telephoning people to sell a callblocking service and device to stop unsolicited calls, the same type of calls the company itself was making.
The Information Commissioner (ICO) has the responsibility for ensuring we understand and abide by the rules. I recommend the ICO website, it’s immensely clear and helpful, also a great laugh, go to the naming and shaming page https://ico.org.uk/00 where I found the classic outlined above.
To put the appetite and teeth of the ICO in context. Last year, April 2015, the Privacy and Electronic Communications Regulations (PECR) rules changed, taking away the need to for the ICO to prove ‘substantial damage or distress’. This was in the wake of the Olive Moore case, where poor Olive, a very good person, was hounded to suicide by Charities cold calling, Olive was on the lists of 99 Charities! The ICO fines from April 14 to April 15 were £360,000 and from April 15 to Feb 16 (after the law change) they jumped to £1,076,000. I think underestimating the ICOs ability and appetite to uphold the law will be a mistake.
Many of us reading the call-blocking company case above will be thinking ‘ironic but at least justice’. But in the same week I also heard of an accountancy firm inviting a two year deceased chap to their seminar… three times! Under the new regime a serious breach MUST be notified to the ICO. It’s the law. Reputational risk?
Data breaches within the legal profession
Christopher Graham warned the Legal profession of potential fines following a number of data breaches. Graham warned “… It is important that we sound the alarm at an early stage to make sure this problem (data breaches) is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach…” Graham noted “… but barristers and solicitors are generally classed as data controllers in their own right and are therefore legally responsible for the personal information they process.”
Twitter has championed an ‘it’s my personal data’ zeitgeist and whoa betide anyone, even inadvertently taking advantage of someone’s personal data. I cannot predict the future but I would bet on the easily offended brigade eagerly, possibly even, enthusiastically taking on a legal or accountancy practice, your competition might even stir the pot! So not only must you notify but an unaccountable apparatus is in place to amplify the offence.
Finally your firms DPO or part time equivalent will, in two years, know that their head is on the block. As a consequence the law, quite rightly, will be put in place to the letter and beyond. ‘Mind your head’, ‘slippery when wet’ and ‘keep out of the reach of children’ signs will go up all over your data. Every data subject where legitimate interest or opt-in cannot be validated/verified will be deleted.
What should you do now?
As part of the GDPR regulations Privacy By Design is being put front and centre and Privacy Impact Assessments at the start of any new project involving data will be mandatory. The ICO website will give you guidance, or you can get ahead of the curve and future-proof your organisation and long-term viability and request an external professional perform a Compliance or Privacy Impact Assessment now.
As former Deputy US Attorney General Paul McNulty said: “If you think compliance is expensive, try noncompliance.”
Peter Rosenwald is Founder of Chartered Developments. Lead Generation for Professional Practices and Financial Institutions Peter@chartdev.co.uk
Published in PM Forum Magazine – May 2016