I was delighted to Chair the 2015 Future of Data Protection Forum last month. It was an exciting day full of interesting debates and practical takeaways for privacy practitioners.
I came away with an overall sense that businesses urgently need to get ready for the General Data Protection Regulation (GDPR), and start to design and embed digital and data ‘privacy enhanced’ ecosystems in line with their requirements. To do that, businesses must consider guidance offered by the different regulators, privacy experts and law firms; evaluate what steps they can take to mitigate data privacy and security risks; and carefully negotiate and review the contractual warranties, commitments and liabilities provided by the different stakeholders involved.
Here are my top ten takeaways from the day: what were yours?
- If you don’t know whether you’re ready for GDPR, then you should consider testing your readiness across key functions in your business. One of our speakers, Bridget Treacy of Hunton & Williams, has created a helpful guide to what businesses should be doing now.
- A layered consumer-oriented privacy notice is crucial. The notice should be capable of explaining the who, what, why, where and for how long personal data is processed. This external-facing policy must go a long way to demonstrating transparency to the end-user.
- Businesses can embed privacy using the three lines of defence: (1) a helpdesk/self-help portal, (2) expertise (for example, using Data Protection Officers/Privacy Centre of Excellence) and (3) a corporate audit.
- Privacy by design means getting involved early on in the thought process around new products and services. This is a cultural shift and easier said than done, as you will need to engage and convince your stakeholders to include you in the early stages of creating new products and services.
- Privacy impact assessments should not only be your early warning system: the process can help the business frame what it needs to do. You need to ensure the controls are specified, clear and easy to embed. Objectives need to be SMART: specific, measurable, achievable, realistic and time-targeted.
- Think across your entire digitally connected system. TVs and wireless kettles can be hacked very easily to gain access to wider digital personas: how secure are Internet of Things (IoT) devices and passwords?
- The human element is a challenge: people make mistakes. What should we be doing to minimize the impact of this? Awareness and training is the answer.
- Consider using pseudonymisation and anonymisation techniques to secure privacy and so reduce the scope of the GDPR when managing big data.
- Test and practice your data breach simulations. Mandatory breach notification requirements already exist in many US states and in most European countries, and the number keeps growing. Testing is key to avoiding potential fines of up to €100 million in the EU alone.
- The GDPR will inevitably give rise to a number of lawyers seeking compensation on behalf of their clients. Work with your general counsel to provide guidance and training on what to do in the event of an incident or investigation.