GDPR or GDPARRGH: Data Protection Strikes Back

Yesterday, I went to a meeting with a number of other organisations to talk about the Big New Scary Thing (GDPR). The revised data protection law comes into effect next May. It covers all data relating to a living individual (including me, except on Wednesdays when I am a zombie).

There was a general air of determination, but also some concern regarding what the darned thing actually wanted from us. OK, people agreed that it was a good move for security, but no-one was sure what it meant in practice.

Here’s an example. GDPR requires organisations to notify the ICO immediately in the case of a breach. This sounds really sensible. But what does “immediately” mean? And how certain should you be that it really is an incident before you notify? And, more worryingly, what constitutes awareness of a breach? If one IT staff member notices something a bit odd, does that mean that UCL is “aware”? Oh, and do they mean ALL breaches? The ICO will need another thousand or so staff if they have to get involved in every minor incident.

Fines and other monsters

The other funny thing was that people are really worried about possible fines. The max current fine for a breach is £500k, which is a lot for a corner shop, but not the end of the world for UCL. The new GDPR fines top out at 4% of global annual turnover: £50million approx for UCL. This is indeed scary, but here’s something else which might be a game changer. What if criminal liability comes with the package, as it does with Health and Safety?

In the Health and Safety world, the company is liable for damages, but an individual employee can also be charged and convicted with “corporate manslaughter”, which carries a prison term.

If we apply this model to data protection, I think it might squeak a little, since most GDPR incidents aren’t life threatening- but what about Sarbanes-Oxley in the US? That had teeth because it made the financial director personally responsible for the financial conduct of their company (broadly speaking).

So in conclusion, there are always monsters under the bed. Some have fangs, some do not.