Reports from the recent InfoSec 2017 conference suggest that the subject of the General Data Protection Regulation (GDPR) was on the lips of many exhibitors and vendors. This tallies with my own recent experience as a Data Protection Officer, and chair of NADPO (the National Association of Data Protection Officers): people are becoming aware of the changes that GDPR will bring, and their worries are driving a desire to know more and seek advice.
But I feel the need to add some words of caution. There is a wealth of material out there, and countless providers of “GDPR services”, but some of them are, to be blunt, not really up to the job.
So how do we tell the good from the bad? And how do we avoid the downright ugly? Well, I have a few tips…
The GDPR marks the biggest change to European data protection law in a generation. It will directly apply in the UK for as long as we are members of the EU, and the UK government has also made clear that it intends to adopt its provisions – in full – post-Brexit, for reasons primarily of facilitating and legitimising cross-border trade.
It represents a huge challenge as well as a significant risk to some organisations, including the threat of significant administrative fines for serious contraventions.
GPDR also brings opportunities – the time has never been better for organisations to get their houses in order when it comes to their information.
Good data protection practice requires good information management, and, with boards preoccupied by the presence of those potential huge fines, data protection officers and similar professionals might just get some of the attention and resources they’ve been crying out for for years.
But, with budgets being opened up, there are others who are also sensing opportunities. It seems like every vendor with even a passing acquaintance with information management now has a solution, or a product, or a “white paper”, which will assist organisations with getting up to speed with GDPR.
My response to most of these has become hardened in recent months. If someone approaches me now selling their GDPR wares, I have a number of tools to assess them.
- I check to see if the vendor’s website has a privacy notice or privacy policy. Almost certainly that website will be collecting personal data (whether it’s by asking users to register – for seminars, resources etc – or by inviting email contact). The personal data might only be a visitor’s name, and company contact details, but personal data it still, most surely, is. Current EU data protection law requires that, where you are gathering such data, you tell the data subject who you are, and what you’re going to do with their data. You would be surprised how many vendors fail to comply with existing law by not having a notice or policy.
- If there is a privacy notice or privacy policy, is it GDPR-compliant? It’s one thing to have a small-print hyperlink at the foot of a page, with boilerplate text, and another thing to have a clear and concise notice, easily accessible and given at the time the data is gathered. This might be a big ask, but if you’re going to seek my business by putting yourself forward as a GDPR expert, I want you to show me some evidence you’re making an effort.
- Does the vendor say, as a general proposition, that consent is required to gather people’s data? Many do, and it is simply not true. What is true is that when consent is relied upon as a basis to justify processing of personal data, GDPR requires more of an organisation than existing law does, but there are many circumstances where consent is not needed to process personal data (often there will be statutory or other justifications which dispense with any consideration of consent). If the vendor doesn’t know this, how are they going to be able to advise on other GDPR matters?
- Does the vendor emphasise the huge potential fines? I can understand why they do this, but bear in mind that existing UK data protection law already contains the power for the regulator – the Information Commissioner’s Office (ICO) – to issue fines, and while the ICO sometimes does so, it actually only exercises that power in exceptional circumstances, and there is no reason to think this will be any different under GDPR. Fines are a risk, and they do help focus the mind, but the regulators will not be dishing out lots of them.
- Finally, and most obviously, who exactly is it who is offering this service or solution? Do they paint GDPR as solely an information or as a cyber-security issue? Is this vendor a person or a firm that has a background in data protection, or is it someone who wasn’t even offering a data protection product a few months ago? These latter types are certainly circling the skies.
One speaker at a recent event I attended asked the delegates whether any of them had “actually read the GDPR – you know, the booklet itself”. I didn’t have the energy to tell him that some of the delegates had been reading, and applying, data protection law for many years, some even since 1984 (the date of the UK’s first Data Protection Act). Expertise in data protection is not something acquired overnight.
This is all important because data protection is not just about information or cyber-security. Fundamentally, it’s about people, and people’s rights. It’s about being fair, and transparent, and – yes – secure, when handling people’s personal data.
Not all non-specialists are awful, and some can helpfully provide a part, maybe a technical part, of a solution, but when it comes to general support and advice for GDPR purposes, choose someone with a clear and demonstrable track record in data protection.
So next time you get cold called, or approached at a conference, by someone claiming expertise, why not ask them a tricky question, like “do you need to show damage before you can claim compensation for distress for a contravention of the Data Protection Act 1998?”. There’s a correct answer to this, and genuine data protection experts should be able to give it. If you get a blank look, considering turning away.
David Appleyard
Jon : Its good to know its not just me. I regularly field calls from vendors who start with ” have you heard about the penalties” or “We have a GDPR solution” . My approach is to ask them to tell me something I don’t know about the GDPR and then listen to them struggle to even cover the basics. I am currently listening to a Countdown to GDPR webcast and they have just highlighted 90 years of security experience on the panel but not 1 year of experience in data privacy..
Paul Ducklin
At the risk of sounding self-serving…you might like to give this “alternative webcast” a listen :-)
https://news.sophos.com/en-us/2017/06/20/gdpr-burden-or-opportunity-cost-or-value-podcast/
We aren’t in the GDPR compliance business, so we aren’t trying to sell you a process or a consulting contract… and anyway the guest on the above webinar (John Shaw, VP of Product Management at Sophos) gives a thoughful, balanced (and refreshingly candid) view of the what/how/why of GDPR and where it is likely to take us.
Jon Baines
Thanks Paul – will certainly have a listen.
Jon Baines
Thanks David – your question to vendors is a brilliant one- I might just steal that!
0Laf
Some of the calls I’ve taken over the last 6 months have been quite frankly embarrassing. Generally the companies or at least their salespeople have absolutely no idea what they are talking about. If you’re in a bad mood and you want to bait the poor salesdroid try to get into a conversation about how the product will deal with the UK’s derogations.
Petteri
Marketing is about the creation of a reality distortion field. Some fields distort more than others. As a vendor providing a small piece of technology that _might_ help an organisation we can’t agree more with your post. We’re not data protection experts, but we try to understand how our technology could help our customer. And we do try to avoid creating messages like “100% GDPR compliance in two weeks – call us now”. It should be also clear that GDPR is much more about the processes of an organisation than a single piece of magical technology.