One year on from the introduction of GDPR, a period of transitional relief – aimed at giving firms more time to comply with some aspects of the regulation – is coming to an end. What’s the impact of the new rules? and are you ready for the next deadline?
Billed by some as ‘the most important change in data privacy regulation for 20 years’, the European Union’s General Data Protection Regulation – or GDPR – came into force last May amidst considerable consternation.
At its core, GDPR was introduced to standardise data protection rules for all companies operating in the EU, wherever they’re based – with the aim of giving people more control over their personal data and ensuring businesses can benefit from a level playing field.
However, with many media outlets and consultancy businesses seizing on the maximum penalty for non-compliance – up to €20 million or 4% of annual global turnover, whichever is higher – the run-up to implementation was a period of great concern for many businesses.
Despite that, Dr Jay Fedorak, Information Commissioner for Jersey, says implementation of the new GDPR regulation has been smooth for most. “The evidence I’ve seen is that [management of the GDPR process] has been positive,” he says. “The companies I’ve talked to have exceeded my expectations with their commitment to implementing the requirements. It’s been very pleasing.
“People in the community received these threats that they would receive significant fines on day two if they weren’t 100% compliant on day one, but those fears were certainly unfounded.”
Elaine Gray, Partner and Head of the Dispute Resolution and Litigation group at Carey Olsen in Guernsey, agrees that implementation has been relatively smooth. “In the lead-up to implementation, there was a good understanding that change was afoot. There is, generally, a high level of compliance. We’ve been instructed on a few data breach queries and on data access requests but, on the whole, companies have got their processes in place, they’ve done their leg work and it’s working pretty well.”
What issues might your business face?
What issues and challenges might Channel Islands businesses face once transitional relief ends on 25 May 2019? Richard Field, a Partner at law firm Appleby in Guernsey, explains the types of queries and challenges that have already been raised since GDPR was introduced last year.
“We’re seeing a lot of businesses working on their websites and privacy notices, and on data protection in the context of technology projects. There have been a lot more examples of businesses saying: ‘We’d like to introduce an online portal for our customers, but we’re concerned about the data protection aspect’ and they’re raising that from the very beginning rather than at the end.
“We’re seeing a growing number of subject access requests from individuals trying to find out information about what’s being held on them. We’ve seen a few data breaches, a little enforcement work – although that’s very collaborative in its nature. And we’ve seen quite a lot of thinking around international transfers, particularly in the context of Brexit and what might happen in the UK.
“I think, overall, the number of queries has been pretty broad and not hugely out of line with what we might have expected – but these issues are certainly a good indication of the types of issues for which companies need to be prepared come 25 May 2019.”
A new deadline is coming
Although May 2019 marks 12 months from the introduction of GDPR, it will also mark the end of ‘transitional relief’, a one-year grace period provided to Channel Islands firms for some areas of compliance with Jersey’s and Guernsey’s GDPR-equivalent laws.
The transitional relief period was brought in to give local organisations time to fully prepare for these more complicated areas, including impact assessments and data portability, whereby all islanders will be legally entitled to ask an organisation that holds their personal data to transport it to another organisation in a format that’s easy to download, organise and tag and can be machine-read.
While Fedorak is pleased with firms’ general progress to date, he warns against complacency in the lead-up to the May 2019 deadline.
“Data controllers need to make sure they are impact-assessment ready by 25 May 2019, which is not far away,” he adds. “By then, systems, documentation, policies and procedures must meet the requirements of the Data Protection Jersey Law and Data Protection Authority Law. Time is of the essence.”
Gray agrees. “The transitional arrangements did not give everyone a ‘Get out of jail free for a year’ card,” she says. “Many of the transitional elements dealt with information companies already held before the new regime came in, and allowed you to continue working with that information as long as you met certain conditions.
“Information that was held before 25 May 2018 is what we call pre-collected data. Under the new regime, companies will have to give a lot of information about what data they are getting from people and why, so they should be spending their time now making sure they’ll be able to do that when the new date passes.”
Mel Pardoe is Data Protection Officer for BDO in Jersey, which includes Channel Islands IT consultancy C5 Alliance, and is responsible for monitoring GDPR compliance within her organisation. She says the key to successful implementation for her team has been making GDPR “business as usual” rather than a “project with an end date”.
“GDPR is partly a cultural issue, with constant requirement for training and adaption,” she says. “Of course, there are also lots of practical things to do – updating contracts and other paperwork, undertaking training activities to raise awareness within the business, updating databases, testing systems and processes and so on.
“Transitional relief was introduced to help businesses proactively change the way they do things – to give time to embed new procedures such as impact assessments. It’s not an extra year or ‘grace period’ to implement GDPR or a reason to postpone compliance,” she adds.
“By now, businesses should already feel they are prepared, and that they are not racing to meet another deadline. If they are still concerned about the systems and processes they have in place, they are probably behind where they should be.”
Everyday lives
Emma Martins, Data Protection Commissioner for Guernsey, agrees that businesses should be treating GDPR as a ‘cultural issue’. She adds that the rise of social media channels and greater awareness generally of the role that data plays in people’s lives has helped organisations understand why compliance is important.
“In the past, regulation and compliance has been boxed off in organisations – with the compliance officer often sat in an office at the end of the corridor and everyone in slight fear of them,” she says. “Nowadays, however, all of our lives are ‘data-fied’. Whether you’re going to your doctor, messaging friends, buying something or travelling, you are leaving a data trail, which gives an extraordinarily detailed view of you.
“It’s a part of every single moment of all of our lives. People now understand that far more, so there’s greater awareness that this is a profoundly important issue. Companies are seeing that this is not a clinical tick-box exercise.”
For those companies that feel they are not on track for the end of transitional relief, Martins says her office is keen to engage and to work with them to achieve compliance.
“We want people to comply with this out of enlightened self-interest as opposed to fear of the regulator and of fines,” she adds. “So, in terms of our outreach, we want to do more. We held a networking event for data protection officers alongside the Europe-wide Data Protection Day that took place in January. And, as we get more resources available to us, we’ll continue to do more outreach work like that.
“The key, however, is that businesses really need to buy into this from the top. Boards that have little or no expertise in this area are quite dangerous, so executive and non-executive directors have a huge part to play in setting the tone within businesses to ensure this issue of data is treated with the importance and seriousness it should be.”
GDPR: The modern-day Millennium Bug?
The Doomsday-style coverage given to GDPR – including the maximum potential fines that companies could face – was reminiscent of the scaremongering that took place in the lead-up to the year 2000, when many warned that computers hit by the so-called ‘Millennium Bug’ would lead to planes falling out of the sky and other catastrophic events.
“A lot of the noise around the fines was largely driven by a bandwagon mentality of ‘here’s the next big thing that we can make some money out of’ from a bunch of so-called experts who appeared out of the woodwork,” says Richard Field, Partner at law firm Appleby in Guernsey. “If those consultancies had acknowledged the actual situation, based on what had gone on previously, they’d have realised that companies getting those huge fines were few and far between.”
Elaine Gray, Partner and Head of the Dispute Resolution and Litigation group at Carey Olsen, Guernsey, agrees there was a level of hysteria, but adds that it helped
to put the issue on the agenda for many businesses. “I think there’s a sense that implementation was going to be an ‘Apocalypse Now’ scenario,” she says. “It certainly wasn’t for most of the companies that we deal with, advise or interact with. However, what I think that high profile did, in a way, was to raise awareness among companies of the issue and that it was something they must look at.
“At the end of the day, we live – and should live – in a properly regulated space. Information is the new currency and when it’s abused, it has so much impact. So, although the headline potential fines didn’t apply to most, it was right to raise awareness and to warn people about it. There were some that overdid it, but I think the context in many cases was right.”