The first GDPR Conference Europe was held recently at the County Hall, London, and with it, delegates learned some hard truths – but it was not all gloom. If you missed it, don’t sweat, there is another conference coming up in June.
Some companies will go bust, others will pay substantial fines. The General Data Protection Regulation is already in force, but will become a matter of law in May 2018 – at which point companies could pay very high fines if they don’t comply with the rules – up to our four per cent of turnover, or 20 million euros. If you are not up to speed, you need to be – understating GDPR is critical.
Kicking off the day was Jonathan Armstrong, a lawyer at Cordery, a law firm that specialises in compliance work. Jonathan himself has been advising on GDPR since day one, since the day it was first announced. Jonathan cited words from a senior figure in Holland, warning that to comply with GDPR, companies should have a contingency plan outlining how they will respond to an emergency. He urged companies to begin their planning, saying that they need a risk approach plan, a data breach response plan, and that they need to invest in the appropriate technology. He also said that companies need to review vendor contracts, urging delegates to “find vendors who know GDPR.” He also said companies need to get documents and records ready to produce in the event of a regulatory inspection.
Second off, Gilbert Hill, Director of OneTrust, a privacy technologist, and entrepreneur presented a veneer of optimism. “GDPR isn’t a bolt out of the blue” he said, and cited the rules on cookies as a dress rehearsal for GDPR. But GDPR is not akin to a “January gym membership” he said, “it’s a journey.”
He also cited Steve Eckersley, Head of Enforcement at ICO, the regulator responsible for the enforcement of the Data Protection Act. Mr Eckersley said: “Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law” – words that marketeers need to take to heart.
The morning session was completed by John Culkin, Director of Information at Crown Records Management. John used to be a networking systems engineer, who got fed up with reading technical manuals. He talked about GDPR meeting the real world, but he says that he sees positives. He said that GDPR is good for customers, affording them new consumer rights and for companies that put their customer at the core of what they do, “this has to be a good thing. But who is responsible for GDPR within organisations?” It seems there is a lot of buck passing, the CIO, the CISO, IT, legal, business units – and yet so often people assume it is down to the techies, except perhaps for the techies themselves, who say it is down to anyone, but them.
He cited Tom Peters, famous writer/guru on business, who once said: “Organisations that do not understand the overwhelming importance of managing data and information as tangible assets in the new economy will not survive.”
The mid-morning session began with Ardi Kolah, co-director of the GDPR transition programme, at Henley Business School and editor in chief of the Journal of Data Protection and Privacy published by Henry Stewart Publications. He looked at how money disappeared from 20,000 Tesco bank accounts and the high-profile hacking at Yahoo. But the truth is hacking will occur, companies must try to avoid it, but need a plan in case, or indeed when, it happens – and, as Ardi said, protecting data is not just about regulation, it is about reputation – after-all the Yahoo share price fell precipitously after the hacking event.
Nicola Regan is a data privacy specialist, a senior partner at the Privacy Partnership and former employee at the ICO. She helped draft the British standard on data processing. She said: “new accountability requirements mean you will need to demonstrate that you have taken the steps you need to comply.” That is the key. Companies can apply for certification, with the BS20012 – once granted, the certification does not make a company fool-proof from being fined under GDPR regulation, but it does help.
Next up, was Stuart Mackintosh, the founder and CEO of Opus VL; he calls himself an evangeliser of open source software. Stuart says that software “is just a tool, it should work transparently without distracting the user, with the aim of enabling efficient compliance, while creating a platform upon which a business can be nurtured.” He cited research finding that of those questioned, 52 per cent said that they think GDPR will result in fines for their company, and 53 per cent of those who are aware of GDPR will be making system changes. This all begs the question: if 53 per cent say that they will be making changes, what will the other 47 per cent be doing?
After lunch, we had a debate. Duncan Gledhill, the founder of Contact Finance, Anna Mazzone of Aravo Solutions, Garreth Cameron, Group Manager for Business and Industry at the ICO, Chris Crowther, ex-military intelligence, and now at the Corsham Institute and David Clarke, who builds cyber infrastructure for financial institutions and compliance, debated several key topics. The topic of third parties kept coming up. ‘Should I asses all my third parties?’ was one question, to which came the answer “yes.” Or what should I do if my third party says they won’t be GDPR compliant for several years?
The city lawyer, Nigel Miller from Fox Williams was next. Nigel gave us the background as to where GDPR has come from, he focused on the difference between GDPR and older regulations. But it was useful having Nigel in the room as the day moved on, he was able to answer questions as they were asked.
This session was completed by Ruaraidh Thomas, a database marketing practioner. “It is our time,” he said, “the time for data analysis to move into the mainstream.” And: “all roads lead to data.” He argued that business shouldn’t look at GDPR as just IT but need to embrace data and data protection as part of the whole business.
The final session of the day began with a salutary tale – or two such tales. Duncan Gledhill returned to recall how data was stolen from him and what companies need to do, and indeed watch out for, not only to protect against data theft, but identify it when it has happened. Appearing with Duncan was Adam Mangan, who is himself is the owner of a business that has been fined over £200,000 – fines that may well bankrupt his business. What mistakes did he make, and how can companies learn from his example?
The second talk from the last session of the day was taken by Garreth Cameron, who spoke at the debate earlier in the afternoon. Garreth, as the representative of the CTO, gave an essential perspective – as he outlined what businesses can do to prepare for GDPR.
The day was completed by Microsoft’s head of Enterprise, Legal, Vijayalaxmi Aithani. She talked about how Microsoft is committed to simplifying the path to compliance, across its Cloud Services.
Compliance with GDPR is not merely a nice thing to have, it is not a luxury, it is an essential. Businesses that do not comply will be fined, and in some cases the fines may cripple them
To find out more, attend our next GDPR Summit Series, January 30th. For more information go to www.gdprsummit.london.