Setting up your Data Register for GDPR compliance
Toon Borré: ‘It looks like Mount Doom. But you have to get over it.’
With only three months to go before GDPR becomes enforceable, we asked Data4S expert practice leader Toon Borré about the state of affairs. How are organizations coping? The outlook is mixed, to say the least.
Interview by Dirk van Bastelaere
In only three months, GDPR becomes enforceable. What did you notice doing GDPR projects? Where do we stand?
Toon Borré: ‘An important element like privacy by design should have been incorporated in any new implementation or use of personal data since May 2016. But companies seem to be unaware of that obligation, or they have simply ignored it. They often consider the two-year period since the launch of GDPR as a grace period, thinking that GDPR will only be ‘activated’ May 26. But they are mistaken. May 26, GDPR becomes enforceable, meaning complaints can be filed and procedures can be started.
‘If you have implemented anything involving personal data the last two years, you should have considered privacy on Day 1 of your project, defining functional requirements, and not at the end of your project.'
How do companies mostly proceed? Do you see a pattern in GDPR implementations? An approach that keeps returning?
Toon Borré: ‘Organizations that have started implementation can be divided into three types: the first type is driven by fear; the second type is aiming at the bare minimum for compliance; the third type is not doing anything but wait for the May 25 2018 deadline to pass, just to see what actions EU Data Protection Authorities might take.
‘What they all have in common, is lack of knowledge of GDPR. Often, companies have simply overlooked the legislation, not knowing it was around. Or they simply ignored it, thinking they had all the time in the world to get compliant.
‘Many companies were aware of GDPR existing, but just didn’t know the details. They were unaware of the real impact GDPR will have and of the effort it takes to get compliant. That’s because they had not read the text. The communication on the humongous fines that can be imposed, has unleashed a real scare in these last months. We are now seeing a transition from ‘fear of fines’ to ‘fear the general public will exercise their rights as data subjects’.
GDPR: a lot of fuss about nothing?
Can you elaborate on the typology you just mentioned?
Toon Borré: ‘‘Type 1 organizations are driven by fear. They are afraid of the fines and legal actions that could follow due to non-compliance. They fear going bankrupt, or they are afraid that not being compliant might have a negative impact on their public image and brand. They want compliance as fast as possible to just avoid the fines. B2B organizations especially fear that non-compliance will harm their ability to do business.
‘Type 2 organizations have realized GDPR is important. They know they cannot escape compliance, but they just want to pass the bar. These companies are just aiming for the bare minimum in compliance. Problem with this attitude is that GDPR demands a mindshift. It is not about implementing it to the lowest possible degree. It is not a one-off project, you need a cultural change in the handling of personal data. Setting the bar low is the wrong approach. Those organizations also struggle with the next implementation steps. They ask us to help them get minimal compliance as fast as possible, but they remain stuck in a privacy culture that has become obsolete.
‘Organizations of the 3rd type ask what extra value they would create by implementing GDPR before it becomes enforceable. They ask: ‘Why do it now?’ ‘Why invest now?’ A lot of surveys are being done, in practically every member state of the EU. Several of those show that a large group of organizations is simply waiting for the ‘deadline’ to pass. Some surveys even say that over 50 percent of organizations are waiting. These companies wait to see what happens on the 26th of May. They sit back and watch what will be the first actions Data Protection Authorities in different EU countries will take. They think: ‘Maybe it’s a lot of fuss about nothing?’
Is GDPR a lot of fuss about nothing?
Toon Borré: 'Certainly not. I think there’s a lot of fuss about the right mindset, because essentially GDPR compliance is about mindset. As an organization you should take the privacy of your customers, contacts and employees really seriously. Your brand value will eventually depend on it. Organizations that are looking for added-value are approaching implementation more and more from this mindshift point of view, thinking about ways to embed it in their organization.
‘I do see differences there between new organizations and older organizations, because the more legacy you have, the harder it is to transition into this new approach. Privacy by design is easier to install when you start right now, you have a regulation to follow. Fifteen years ago, there was a regulation for organizations to follow, but companies could not care less. Belgium's 1992 legislation is causing a lot of companies a lot of headache right now, because none of them complied at the time.'
The Data Registry: face to face with Mount Doom
Toon Borré: ‘The biggest issue I see right now, is the lack of a data registry. Organizations simply do not know what kind of data they have. The lack of a data registry of any type, shape or form is just astonishing. Until now, I talked to one organization that stated it actually has a data registry and one organization that has a data registry for the medical information it stores, but for no other personal data that the organization is processing.
‘We are talking about something that belongs to the core of GDPR. If you do not know what kind of personal data you hold, what you use if for and how you use, how in heaven’s name are you going to protect it? How will you handle the question of a data subject that exerts its right of access? If somebody asks ‘What data do you have of me? Forget me!’, you do not even know what data you have to delete.
‘Again: easier for a startup, than for a company that has been in existence for fifteen years. Compare it to a clean-up: you haven’t cleaned your house for fifteen years. It’s not going to be a fun job. It’s going to be a hard job. If you keep on cleaning the house every week, or every month, it will be feasible. Now it looks like Mount Doom, but you still have to get over it.
What is your advice then to companies in that situation? Set up your Data Register?
Toon Borré: 'Get your head down, and get with it. Actually, the first thing they should do determine where your biggest risk is. It’s pretty straightforward that B2B companies should look at their employee and HR data. But that doesn’t necessarily mean it’s the only thing you should care about. In B2C companies, there often is an initial focus on customer data. The impact there is potentially higher than the impact of employee data. But companies should not put their employees second. That does not make sense. They will educate employees on how to be GDPR compliant, at the same time making them aware of their own rights. Employees that conscientiously handle customer data may ask the company how their own personal data are handled.'
HR: revising the Employee Handbook
So, are employee data always a risk factor for companies, adding up to the maybe lesser risk of customer data? Handling huge amount of customer data does not belong to the core activities of many organizations, whereas every organization with employees handles sensitive employee data.
Toon Borré: ‘Depends on the size of the company. You may be an SME with 200 employees, but handle the data of thousands and even millions of customers. Then it’s easy: your biggest risk is B2C. The Sales and Marketing department will be a lot more involved than HR. So, their focus will be on customer data.
‘But if you are a company with 5000 employees and again a couple of million customers, it obvious that the risk of personal data from 5000 employees living in Europe is not to be neglected. For customers, it’s not too big an effort to modify the Terms and Conditions. HR, on the other hand, will have to revise the Employee handbook or the company policy manual. Those adjustments are not done overnight. It requires negotiations. Also, HR will have to revise every single employment contract because it’s the legal basis that is used to store, gather and process certain data. Changes to the contract will have to be explained to each individual employee, because it is fundamental to the employment relationship. That will take time.
HR and the Data Registry: transparency is key
Toon Borré: ‘Organizations often ask me: “What’s the clause I need to into my employment contracts to be GDPR compliant?” There’s no general clause. There’s no silver bullet. The concept doesn’t even make sense, because you must inform the data subject about what you do with its personal data and why you are doing it. Organizations tend to approach this very differently. There’s no general approach.
‘Questions to be considered here are: where and how will you store the data registry? How are you going to make it visible to your employees? Will you give it up for view by your employees. Will you give it up for review on request?
‘Personally, I think transparency is key. Why not make all the elements of the data registry available: all the processing, who is responsible for which kind of processing, how long you store the data?
‘Organizations often think they are giving away too much information, fearing their employees will not be able to correctly understand what exactly is done with their personal data, and why. Companies are missing out there on an important principle of GDPR: it’s about explaining in layman terms to each individual how you are processing their data. If it is too complex what you have written, you have not done a good job.’