As the go-live date for the General Data Protection Regulation draws ever closer, firms across the U.K. and Europe are hastily acting to put all necessary provisions in place by delving into the minutia of their operational processes. It is clear that U.K.-based legal and insurance firms are facing an extensive and diverse range of challenges when trying to implement the necessary controls. Here, we look at some of those challenges.
Organizational complexities
While firms of different sizes face their own unique challenges, it is apparent that smaller firms are particularly unprepared and, in some cases, entirely unaware of the new regulation.
Small firms typically lack the resources and expertise required to effectively prepare for the regulation or indeed assess the impact that it may have on their operations. As a result, these firms are unable to allocate the sufficient resources to manage these projects, with the assigned individuals typically juggling this responsibility alongside their day-to-day tasks.
This consequently has an impact on the firm’s ability to impart the importance of data protection to the organization.
Conversely, larger firms appear to be better prepared on this front, as many of them already have established compliance teams in place that could easily absorb the additional work. Alternatively, with readily-available funding at hand, some firms are choosing to simply buy-in the necessary expertise. As such, these larger firms are well positioned to interpret the often complex wording of the regulation and construct cohesive action plans to comply with their legal obligations.
However, simply having the necessary resources in place isn’t enough to ensure a smooth transition. As many of these firms have historically managed significant quantities of personal data, procured via an assortment of intricate operational processes, their existing systems need to be picked apart, sometimes in their entirety, to effectively integrate the new requirements.
To aid this process, the U.K. Information Commissioner's Office and the EU Working Party 29 have issued several guidance documents that cover a number of key topics in relation to GDPR, which aim to simplify the regulation and provide practical information. Additionally, the ICO has set up a dedicated hotline to support small businesses and, more recently, produced specific guidance for micro-firms.
While these resources have proved to be useful, many of them have only been published in the last six months. This has meant that small firms, which will be particularly reliant on them, may not have the time to adequately absorb the necessary information or implement the relevant controls required.
Top management buy-in has long been an issue when it has come to data protection. In fact, it was only back in 2015, when TalkTalk was fined the record sum of £400k, that Information Commissioner Elizabeth Denham had proclaimed that data protection needed to be a boardroom issue.
Surprisingly, this doesn’t seem to be the case this time. In fact, it appears that not only is top management buy-in no longer a major issue, but C-level executives have a greater understanding of risks in relation to data protection and the potential impact of a breach on the firm.
In a number of cases, the firms’ CEOs were identified as individuals with a particularly strong appreciation of these types of risks and were actively involved in lobbying efforts to ensure that all industry-specific risks had been considered. It would appear that the mainstream media attention surrounding a number of recent, high-profile breaches has made a significant contribution to furthering top management engagement.
While buy-in issues appear to have improved at the top level, there continue to be numerous challenges in the cascading down of information, with privacy professionals still facing difficulties when seeking engagement from lower-level management. This is causing something of a roadblock within larger firms, resulting in an inability to effectively implement the controls required.
To counter this, firms must seek to implement cohesive processes to build awareness and effectively communicate the importance of data protection within each tier of management. This would ensure that the essential information is adequately cascaded through all divisions of the business, all the way down to front line staff, who will be facing the greatest challenges when managing the day-to-day aspects of the regulation
Post-GDPR landscape
Looking past May 2018 and into a world with GDPR, the key concern cited by privacy professionals appears to be based around the new breach management and reporting process.
Privacy professionals believe that there will be a significant increase in the number of breaches that are reported into the ICO; however, rather than having a positive impact, many suggest that the new reporting requirement would simply overwhelm the ICO and result in its inability to function as an effective regulator.
They also felt that lack of resource in the ICO, coupled with trying to manage the increase in the volume of breaches, would have a particularly detrimental impact to the proactive investigatory work that currently takes place.
Even with the introduction of the new rights for individuals and the accountability principles placed on firms, privacy professionals do not feel that the new regulation would have much of an impact on those that the regulation intends to protect.
There is a belief that rather than empowering individuals to recognize and manage their personal data, excessive media publicity surrounding data protection breaches, combined with new breach reporting requirements, would result in data subjects becoming desensitized to the risks in relation to their personal data.
Future-proofing GDPR
It is clear that the regulation will be a positive first step in trying to provide greater accountability and much needed control for individuals over their personal data. However, it appears that firms in the legal and insurance sectors are facing significant challenges when trying to implement the necessary controls to comply with the new regulation. There are also concerns of what will happen post-May 2018.
The government and the ICO desperately need to do more to ensure that all firms, particularly smaller entities, are engaged with GDPR and provide the necessary support to prepare them for May and beyond.