Why we’re doing the BPM Index.
We created the BPM Index, and we’re maintaining and publishing the BPM Index, because we exist to help organisations (public and private) with their compliance. Our SaaS solution and Policy Pack help organisations comply with GDPR at the everyday, practical level. The BPM Index is one of our efforts to help at a strategic level by (hopefully) helping to inform and drive positive interaction and discussion across the EEA between customers, providers, regulators, academics, consultants and all other stakeholders about best practice on personal data breach notifications.
As context in another GDPR area, in our 14 October blog on the EDPB’s 22 opinions on the DPIA position papers from 22 Member State regulators, which contained 260 different types of processing, we noted that the EDPB Chair Andrea Jelinek had said: ‘It has been an enormous task for the members of the Board as well as the EDPB Secretariat to examine all of these lists and to establish common criteria on what triggers a DPIA and what not.’
If it’s an enormous task for the top regulators of the EEA to review 22 Member States’ documents on when a DPIA is required, what is it like for those employees in businesses or public bodies struggling to understand the GDPR? According to a recent survey of SMEs by Aon ‘over half are confused by or even unaware of the rules around GDPR’. This is not good.
The people in those SMEs trying to understand GDPR are our constituency and, just as our blog on the 22 DPIA opinions is a small step in lobbying for greater simplicity, clarity and certainty for that constituency, the BPM Index is a more ambitious approach. That ambition is clearly called for.
The people in those SMEs trying to handle GDPR compliance are generally not privacy professionals, and are handling GDPR as yet another task in an already full workload. They need simple and accessible guidance to help drive awareness. That means, ideally, one document on DPIAs to review, not up to 32 (the EU Member States, the 3 additional EEA members and the EDPB) and a uniform approach to breach notifications.
Talking of breaches (which is the BPM Index’s focus), according to that Aon survey 68% of SMEs didn’t know you had to report a data breach to the UK ICO. This is also not good. It’s even worse when you consider how the regulators view the ability to prepare for, identify and react to, and report a personal data breach. In a speech on 5 December in Wellington, NZ, the UK Information Commissioner highlighted how important an area this is:’As I’ve mentioned, the ICO has received more than 8,000 breach reports since May and it’s one of the areas that concerns business most.
And rightly so. Because breach reporting is a not a mere administrative responsibility. It speaks to the accountability principle of the GDPR. The accountability principle requires you to take responsibility for what you do with personal data – and have processes and systems in place to demonstrate this compliance.
If, within the 72 hour time limit, a UK organisation has no clue as to the who, the what, the how of a breach, then it is clear that they do not have the required accountability data checks and balances in place – as required by law.
I believe that data breach reporting drives companies to invest in better security and better data governance. For this reason, I believe breach reporting to be one of the most significant upgrades in the new law.’
In its preparation for the GDPR, the UK ICO put in place a system to handle 30,000 breach notifications a year. They received 4,056 in July to September 2018, averaging 1,352 a month or a run-rate of 16,224 a year. On 23 November, CNIL in France stated it had received 1,000 notifications from 25 May or 7 a day, which averages 167 a month or a run-rate of 2,004 a year. Why the difference? We think it’s worth discussing.
We’ve said many times that we believe we’re extremely fortunate to have the Data Privacy Authorities that we do in the EEA. Take this comment from the UK Commissioner’s same speech:
‘Now we are moving into a different phase where we engage with UK businesses and citizens differently. We need to be more of a collaborative, inquiring, helpful regulator — working with organisations on data protection impact assessments and codes of conduct. This is ICO 2.0.’
The UK ICO is an excellent regulator and gives excellent, practical guidance. But the UK ICO’s guidance doesn’t apply across the 31 countries of the EEA. Businesses are increasingly international, certainly within the near neighbours of the EEA, and even very small businesses are looking at their cross-border GDPR obligations.
Keepabl is also crammed full of privacy geeks who want to help our customers in any way we can. So we also love talking about all aspects of GDPR, and the notification data just looks like too big an itch for us to not to scratch. It’s early days for the GDPR and clearly businesses are still getting to grips with it, so some variance is to be expected. But if we can help drive a better, simpler understanding in a key GDPR area, we’ll be very happy. We’ll also be happy to have any errors pointed out and receive our fair share of ‘constructive criticism’, as long as we’re helping to fuel the discussion.
So, that’s why we’re doing the BPM Index. Why are we doing Keepabl?
Why we’re doing Keepabl
Robert Baugh founded Keepabl to joyfully use technology and domain expertise to solve headaches for others, and if we can make them happy in the process, we’re happy. That’s our ‘Why’.
And we’re very happy that the feedback on our services indicates we’re hitting the mark. Comments we’ve heard recently in demos and from customers include ‘I’m loving this’, ‘This is brilliant’, ‘This is going to make my life so much easier’, ‘This really reassures me’, ‘This is very comprehensive but very simple’, ‘It’s like you’re having a conversation with someone’, and the one we hear pleasingly regularly: ‘This is really simple – and I mean that in a good way!’
Starting with the Why means you’re focussed on your customer from the very start and have a greater opportunity to connect with your customer and fulfil their needs. It also means you can diversify and stay true to your mission and the relationship with those customers, keeping on delighting them across a broader range of services.
The BPM Index is an example of how we can be involved on behalf of our customers and other stakeholders, to spark interest in and hopefully illuminate a difficult area, by combining our technology and domain expertise. We hope you find it as interesting as we do.
The UK ICO’s detailed report on the 2,629 personal data breaches reported to it in Q1 2020 shows a startling fact: more breaches happened from mis-sending emails, faxes and mail…
Trick question: is it legal for a national postal service to guess your political opinions from what they know about you, such as age and address, and sell that data…