Dispelling the FUD: Key insights from the "#GDPR for Dummies" Roadshow

As the deadline for compliance approaches, the fear, uncertainty and doubt (FUD) surrounding the new General Data Protection Regulation (GDPR) legislation is only growing.

With masses of information out there, it’s unsurprising that many businesses are struggling to know where to start. In an effort to offer some clarity and practical advice, the ‘GDPR for Dummies Roadshow’, delivered by MetaCompliance, was born.

Open to professionals from any industry, the roadshow stopped off in nine major European cities, from Birmingham to Berlin. For many attendees, the events proved to be a wake-up call, but thankfully, it wasn’t all tears and despair.

As a space for open dialogue and honest discussion, comfort was found in some straight-forward, practical advice.

Identity crisis – Controllers vs Processors 
The distinction between data controllers and data processors was a key point of confusion across the board, and understandably so. It can be a grey area and both roles are fluid, with organizations often shifting between the two. Let’s break it down:

The controller is the party who owns the relationship with the individual and their data. The processor, on the other hand, acts primarily under the instruction of the controller unless, of course, the controller is instructing the processor to perform an unlawful activity.

A practical example raised by many HR representatives was the use of recruitment agencies to find job candidates. In this scenario, the recruitment agency is the initial controller of the data and remains responsible during the recruitment process. Once a candidate is employed, the employer becomes controller of this data and accountable under GDPR. 

Whilst it is now possible for processors to be sanctioned directly by a regulator, they are at considerably reduced risk if acting under the direct instruction of a controller. Ultimately, controllers shoulder the responsibility.  

The HR headache 
If you don’t store customer data, does this free you from GDPR? Not quite. In fact, some of the largest GDPR remediation projects involve multinational B2B organizations with large numbers of employees. If your organization employs people in the EU, GDPR affects you.

This was a key concern for HR professionals attending our events. Gaining employee consent for data processing is problematic given the power imbalance between employers and employees. Instead, ensuring you have an alternative legal justification (e.g. compliance with tax law when withholding an employee’s tax allocation, contractual necessity when it comes to payroll processing) is a much more workable, viable solution. Generally, most HR activity should fall into one of these alternative categories!
In response to this concern, we developed and shared with event attendees some employee focused privacy templates that could be given to both new and existing employees, outlining the legal justification for any use of their personal data and ensuring transparency.

SMEs – Fewer obligations, but still liable 
SME representatives at the event were uncertain of the differing expectations the regulation posed for smaller businesses and if still liable, to what extent? 

Whilst those companies with under 250 employees have fewer obligations in terms of maintaining a record of their processing activities, these businesses still need to align their processes with GDPR requirements.

Despite what is often suggested, hiring a data protection officer (DPO) is not a requirement unless you happen to be a small business processing a significant amount of personal data that fits within one of the ‘special categories’ as defined by the GDPR (health related data for example). Being practical and taking a priority-based, actionable approach to the changes you need to make to your organization’s data is, however, vital no matter the size of your business.

A pragmatic, risk-focused approach to GDPR
The regulation will undoubtedly require big changes, but the key here is pragmatism. While FUD may leave organizations dazed, confused and vulnerable to employing unnecessary complex services, our roadshows proved a successful space to offer a sensible and practical route forward.

Achieving full compliance is not something that can be addressed all at once, so start with identifying and addressing your key risks. What urgently needs to be addressed? What updates can be made relatively easily - the compliance ‘quick wins’, if you like.

Being able to demonstrate that a clear and actionable plan is in place can offer a safeguard against the threat of fines should a regulator come knocking.

What’s Hot on Infosecurity Magazine?