John Lewis and HSBC have become the latest brands to call for more clarity from the Information Commissioner’s Office over how they can achieve compliance with GDPR by May 2018, insisting the regulator’s guidance is still too ambiguous.
The ICO has published its 12-step guideline for complying with the new GDPR regulations, and has pledged to publish its final version of consent guidance this month. However, it seems that this is proving problematic to apply to industries with specific operational requirements.
Speaking at a panel discussion at London’s Infosecurity Europe 2017 conference John Lewis group data and infosec officer Steve Wright said: “I have had the pleasure of working with some fantastic lawyers, but even they are struggling to give a true interpretation.
“There are seven rights under GDPR, the Right to be Forgotten is just one. For us as a retailer it is going to be incredibly difficult to fulfill [requests for data deletion] within 30 days.”
Wright went on to cite lengthy warranty periods – John Lewis will need to honour warranties of 10 years in some cases, and will be unable to entirely delete that data when requested.
Meanwhile HSBC deputy general counsel Cameron Craig said that the “woolly” nature of the ICO’s guidance has proven challenging.
He added: “There are large areas of GDPR that are the same as the existing rules. Unfortunately instead of having a single black line saying ‘these are the changes’, you have to work out what is actually different.”
Craig claims that early negotiations on GDPR have failed to take into account specialist industries such as the financial sector.
“All the discussions were around online services, the likes of Facebook and Google. It might be ok to have a consent-based system for that type of processing, but for financial services there is a huge amount you need to do without consent. Just getting that reassurance that you can continue doing that is quite a challenge.”
Even though the financial services industry is well versed in making regulatory changes and has systems in place to deal with disruption normally caused by new regulations, Craig is doubtful that HSBC will be compliant in time.
“You can’t just write [the new laws] down on a piece of paper, and say ‘you have to comply with this, this and this’,” added Craig, “you have to have a highly sophisticated digital rights management system in place to do that. We’re just not going to get that by 2018.”
However, ICO senior technology officer Peter Brown urged concerned companies to continue consulting with ICO guidance, even though he admitted “it may not arrive as quickly as people want”.
“We’re not going to bang everyone’s door down on 26 May, saying ‘give us a cheque for 4% of your annual turnover [the maximum fine for a breach]. But it is an opportunity to put in place the right data protection practices, and those that get it right will benefit.”
He added: “There has been a consistent message that we have tried to get across. We are continually working on new guidance, and more will be coming out. It may not arrive as quickly as people want, but it is on the way.”
Lack of GDPR guidance fuels fears over bombardment
ICO rebuffs GDPR guidance failings despite RNLI rethink
ICO insists GDPR guidance will cover legitimate interest
12 months until GDPR D-day: compliance fears rocket
12 months until GDPR D-day: still not too late to act
GDPR countdown fuels warning of 4,500% rise in fines
84% of UK SMEs have still not heard of EU data reforms