How resellers should be preparing for GDPR

Bob Tarzey, director and analyst at Quocirca, explains how firms in the channel should be approaching the incoming data protection rules

What should resellers be doing to prepare for the EU General Data Protection Regulation (GDPR)? Of course, as with any business they should be getting their own houses in order; that means the processing of data regarding employees, personal details of business customers and so on (data subjects) should be compliant. Being UK-located will not help, the government has confirmed GDPR will enter law in one form or another and a Data Protection Bill, based on GDPR, was included in the 2017 Queen's Speech.

However, on the whole resellers are not storing reams of data about consumers. Undertakings (a GDPR term), where profit is made from processing the personally identifiable information (PII) of consumers, are the core focus of the regulation. It is mis-management of such data that attracts the attention of enforcement bodies such as the UK Information Commissioner's Office (ICO) and monetary penalties they can impose.

For resellers, GDPR is all about opportunity, providing advice, products and services for the compliant processing of consumer PII. Technology will only be part of the solution; it is as much about improving processes.

The first activity required is to review the PII that an organisation processes and stores. All will do it at some level, even if it is only for employees (often outsourced to a human resources service provider). Where consumer PII is being processed, first ask; is it necessary? Sometimes data is retained where it need not be. In other cases, it is an isolated activity - for example a customer list maintained by a restaurant chain for sending promotions; the quickest way to compliance may be to outsource.

Where there is a clear need to keep the processing in-house GDPR requires a Data Privacy Impact Assessment (DPIA). This is part of proving to the regulator that due diligence has been applied so, for example, even if a data breach does occur, good practice can be demonstrated and the regulator is more likely to be lenient. Resellers should consider offering a DPIA service (along with annual reviews).

When it comes to technology data protection by design and by default (Article 25) is at the heart of GDPR. This requires addressing both the security and administration of the processing of PII. The data security requirements should not be new to many - these have been in place for almost 20 years since the UK 1998 Data Protection Act was enacted (based on the 1995 EU Data Protection Directive). Any organisation that does not have basic security measures in place will already be in breach.

The big changes with GDPR as all about administration. The rules about gaining consent to process data are much tighter, this must be pro-actively given and must be reconfirmed by each data subject if it is changed. Opting out must be as easy as opting in, there is right to erasure (to be forgotten), a right to receive copies of data and so on. The ICO is already as likely to fine for the misadministration of data as it is for lapses in security. A data breach does not need to occur for the ICO to act - processing that has the potential to expose data is enough (that said, is will be mandatory under GDPR to report PII breaches).

Resellers should also offer some reassurance among the heavy dose of FUD (fear, uncertainty and doubt) that comes with much of the messaging around GDPR. This mostly relates to the huge fines the regulators are empowered to impose (up to €20m or four per cent of turnover, compared to £500,000 under the DPA).

The precedents set by the ICO enforcing DPA are less scary. Since mid-2015, is has become aware of about 4,000 breaches but only taken a little over 200 actions. About 90 of these have involved monetary penalties. More than half of the fines have been issued under the 2003 PECR (Privacy in Electronic Communications) legislation for nuisance calls and spam messaging. Of the remainder less than 20 were for data breaches, the rest for mis-use and mis-processing. The average ICO fine since mid-2015 been £83,000, 16.5 per cent of the maximum (the highest under the DPA has been £400,000 to TalkTalk for its widely publicised 2015 breach).

The message a credible reseller should convey is that the UK ICO is not seeking to put its customers out of business, the ICO just wants to protect consumer privacy. No organisation can ignore the legislation, but for many smaller organisation GDPR need not be as fearsome as it is being made out. Review the way PII is being processed, stop it where possible, consider outsourcing and, where it must be continued in-house, ensure best practice.

Bob Tarzey is an analyst and director at Quocirca