How the ICO will measure GDPR compliance, and whether a certificate means anything
Now the EU's General Data Protection Regulation (GDPR) has been in force for a few months, businesses and organisations are doing all they can to remain compliant.
It's difficult to ignore the overwhelming sense of panic that engulfed many organisations in the lead up to, and even sometime after, the legislation was rolled out on 25 May. This handed so-called GDPR experts and professionals the perfect opportunity to exploit those hoping to do all they can to avoid dizzying fines.
Ambitious promises to get an organisation's IT infrastructure and practices fully GDPR-compliant in one quick fix haven't been the most reliable. In any case, the Information Commissioner's Office (ICO) has already said GDPR fines will not be a simple exercise in scaling up the penalties currently administered under the Data Protection Act 1998.
It's highly unlikely therefore your organisation will be targeted for non-compliance, provided all steps are being taken to comply with GDPR, and there is full cooperation with the authorities. Moreover, the ICO will almost certainly allow businesses to find their feet in a post-GDPR world.
In many cases this means breaches, in practice, will lead to punishments in the form of warnings and enforcement notices, as opposed to crippling fines. But there is always a chance you could be doing more. In order to provide that added level of reassurance - is it then worth bringing in a professional to audit and restructure your data and privacy setup?
Although it is a good idea to get some advice from a GDPR expert before the law comes into force (if you haven’t already), none of the courses touted as making your company GDPR compliant will actually do so. The ICO said it will release a list of suppliers that can help (ie., recommendations), but it hasn’t released this list, nor will taking any course automatically mean your organisation is completely compliant. It's also likely the ICO will set up its own certification bodies, but as of yet, none actually exist.
These bodies will be able to issue organisations with the certification that shows they comply with GDPR legislation for a period of three years before needing to be renewed. The EU explained this will probably be called 'the European Data Protection Seal'.
Data protection lawyer Dai Davis, of Percy Crow Davis & Co law firm, says: "Organisations simply need to comply with the GDPR (or at least try to). In any event, there is no certifying body. You don't need to prove compliance ... you simply have to be compliant."
Of course, the ICO may audit organisations' compliance, and certainly will in the case of a breach, so it pays to be able to demonstrate that you abide by the legislation. So the question becomes, how can you do this?
Corporate and commercial solicitor at Kirwans law firm, James Pressley, tells IT Pro there are a few different forms of proof organisations can offer the ICO. These must all demonstrate:
- Internal policies and procedures that comply with the GDPR's requirements
- The implementation of the policies and processes into the organisation's activities
- Effective internal compliance measures
- External controls
"All of these would not only need to be documented (for example, policies), but there would need to be a record kept of how they were being carried out in practice to demonstrate compliance," Pressley explains.
In addition, data controllers (the company ultimately using rather than simply processing personal data) must be able to show they have established a data protection compliance programme and privacy governance structure, as well as ongoing privacy controls.
Controllers must also embed privacy measures into corporate policies and everyday activities that concern personal data.
Not only must they document their privacy measures and keep records of compliance, but they must train employees on privacy and data protection matters and test their privacy measures, using the results to improve their policies.
How will the ICO measure compliance?
The ICO - and any other EU member state data protection authority - would consider whether your organisation is compliant with the points above, though it's probably wise to hire a legal specialist to guide you through the specifics to ensure you understand them fully.
While there may be some debate as to whether a data protection policy is adequate, Pressley adds: "Past experience would suggest that the ICO requires full compliance with legislation and is unlikely to accept poor documentation or implementation."
Both lawyers make the point that when it comes to audits, firms suffering security breaches will be the ICO's first port of call.
" In practice [the ICO will measure compliance] by (a) becoming aware of organisations suffering from public breaches and (b) auditing organisations - especially those falling into the former category," Davis says.
Pressley agrees, stating: "There will be a lot of non-compliance, which will be obvious. There will be some major problems such as security breaches, in which case the organisation's policies and practices will be examined closely."
Are any GDPR certification schemes worth the money?
In short, no - certainly not if you enter them for the purpose of gaining a certificate demonstrating compliance. As we discovered above, there are currently no bodies empowered to audit and certify GDPR compliance.
Those that do exist may say their certification is valid for GDPR, but in fact, they're often based on the National Cyber Security Centre's Cyber Secure standard, Pressley says. That means organisations who undertake their courses may still be found non-compliant by the ICO.
However, Pressley also said the ICO intended to approve accredited UK bodies proper certification by spring 2018, just ahead of GDPR came into force. This did not materialise, and the ICO currently has no plans to provide its own certification.
But Davis adds that existing schemes, if using the GDPR legislation as their basis, may have some value: "The more any organisation does to comply the better. Obtaining any form of external certification implies that [an] external organisation is going to check where the target organisation is not doing enough, thus enabling the target organisation to become more compliant."