Developing a compliance strategy to meet data privacy regulations
August 2017 | SPECIAL REPORT: TECHNOLOGY RISK MANAGEMENT
Financier Worldwide Magazine
August 2017 Issue
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, replacing the UK Data Protection Act 1998 (DPA). In her speech on 21 June 2017, the Queen confirmed that the UK intends to comply with GDPR post-Brexit by implementing a new UK Data Protection Bill, mirroring the provisions of the regulation.
This means that any organisation handling EU citizens’ data from 25 May next year will need to take action over the coming months to ensure they are compliant with the stricter privacy rules or face much harsher penalties. This includes fines of up to 4 percent of their global annual turnover or €20m, whichever is greater.
In this article we set out five strategic steps your organisation should take now to ensure compliance by the May 2018 deadline.
Ensure organisation-wide knowledge and understanding of the GDPR
The UK information commissioner, the UK’s data protection regulator, has stated that the key to compliance with the GDPR is awareness and education within organisations.
Do you know how long personal data is used by your organisation in the day-to-day running of the business? Are your employees aware how a data breach should be dealt with? Do your employees know how to deal with a response from an individual for a copy of personal data? Failure to comply with the laws surrounding the use of personal data can lead to severe penalties being imposed by the regulator and significant damage to your reputation.
It is important that an entire organisation, from board-level down, understands the existing law and the key changes to it. Most importantly, there has to be a baseline awareness of the seven principles underpinning the rationale of the regulation, including the newly enshrined ‘accountability’ principle.
The principle of accountability requires you to demonstrate compliance with the GDPR. This is only possible if your staff has a solid foundation understanding of your organisation’s data protection obligations, responsibilities and data subject rights in order that they can make informed business decisions about how to protect against risk, and safeguard the personal data you hold.
Appoint GDPR stakeholders: the DPO and data protection steering group
GDPR compliance will depend on cooperation between, and championing from, all business stakeholders to be successfully implemented and maintained. Appointing a central GDPR leader supported by a GDPR project team or ‘steering group’ made up of individuals from all business divisions is a crucial step toward GDPR compliance.
It will be mandatory under GDPR for organisations carrying out high-risk activities (including systematic or large scale sensitive data or profiling and evaluation activities) to appoint a data protection officer (DPO). The main role of the DPO will be to monitor and independently advise on compliance with the GDPR through involvement in all matters relating to data protection.
It is important that the DPO is provided with sufficient support and resources to carry out their role, and having board-level leverage (particularly from a budget perspective) is essential. In larger organisations, it may be sensible to appoint a separate chief privacy officer who is a member of the executive team.
Even if your organisation is not legally required to appoint a DPO, it is advisable to consider whether such an appointment would be beneficial to the business.
Audit and gap analysis, and data mapping
The GDPR reinforces a lot of the existing principles of the DPA, while adding detail to certain requirements and introducing new ones. For example, while privacy notices are an existing requirement, these will likely need updating under GDPR to include information around any automated decision making, including retention periods and an explanation of data subject rights and the legal basis for such processing. A good starting point for ensuring compliance is therefore to review your existing policies and processes to identify the ‘gaps’ in your current governance and compliance framework.
It is crucial that you have an understanding of the types of personal data that are collected by your organisation, the records and systems in which they are stored, and the purposes for which they are processed and how (data mapping). This exercise will enable you to assess your risk exposure and identify what compliance measures are required to minimise those risks.
While operational staff may generally have a good understanding of how personal data is processed and stored within their own department, a firm-wide view is essential. Data mapping will also help to meet your accountability obligations, as the GDPR requires both controllers and processors to keep a detailed record of their processing activities, including, among others, the purpose for the processing and the categories of data subjects and recipients.
If your organisation carries out cross-border processing in the EU then you should review European guidance that has been issued to assist with determining your lead data protection supervisory authority.
An evaluation of how you are protecting individuals’ personal information (for example, with encryption or pseudonymisation) should also form part of your audit and gap analysis exercise. Remember that your first priority is to protect the individual’s privacy: from the day you collect the data, through to destruction of that data once it is no longer needed. Viewing compliance from the individual’s perspective will help you meet their expectations in terms of their data privacy.
Privacy by design
A privacy by design approach is not a new concept, however the GDPR imposes a general obligation on organisations to implement technical and organisational measures to show that you have considered and implemented data protection compliance at the outset, and throughout the lifecycle, of any project involving the processing of personal data.
Privacy Impact Assessments (PIA) are an integral part of taking a privacy by design approach. A PIA can be used to evaluate the potential risks posed to an individual’s privacy rights through your organisation’s use of their personal data. Conducting a PIA will benefit your organisation by ensuring that potential problems are identified at an early stage (for example, at RFP stage), and should also assist with producing more robust policies and systems for ensuring data privacy.
The ICO has said that if organisations “can’t demonstrate that good data protection is a cornerstone of their business policy and practices, they’re leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue”.
Organisations will need to take a proactive, rather than reactive, approach to data protection under GDPR. Simply producing a written policy on, for example, data retention, will be of little value if you have not put in place procedures for storing, updating and deleting personal data. Privacy should be the default setting, with data protection and individual privacy embedded into your organisation through IT systems and stakeholder mentality.
Building a robust governance and compliance framework (including data breach reporting and other response procedures)
A clear governance framework is essential to assist with demonstrating to the ICO how your organisation practices compliance. Done right, privacy compliance will enhance your business operations and need not be a burden.
As well as updating some existing policies, GDPR will require you to implement a whole host of new policies setting out the procedure to be followed with respect to, for example, data erasure, portability and breach response.
GDPR prescribes that in certain instances there will be a mandatory obligation to notify regulators and also potentially individuals (whose data has been compromised) of a data breach. There is an associated obligation imposed on data processors with respect to notifying their controller of such a breach. It is therefore crucial that your organisation has a clear policy and procedure for determining when a breach has taken place, how to manage and respond to that breach, and clear guidance for staff (in a language that is understandable at all levels of the organisation) to assist them with determining when and in what circumstances to report.
Procedures should be tested to ensure that they work, and policies and processes should be regularly reviewed and revised to demonstrate to the relevant data protection authority that you are taking data protection compliance seriously.
Ella Fenton-Livingstone is a commercial and data protection solicitor and John Benjamin is a privacy specialist at DWF LLP. Ms Fenton-Livingstone can be contacted on +44 (0)113 204 1605 or by email: email@example.com. Mr Benjamin can be contacted on +44 (0)20 7280 8950 or by email: firstname.lastname@example.org.
© Financier Worldwide
Ella Fenton-Livingstone and John Benjamin