As the 25 May deadline for the new General Data Protection Regulation (GDPR) fast approaches, there is an increased focus on ensuring business have plans, processes and controls in place to comply with the new regulation.
The new legal framework is the biggest change to data privacy legislation in over two decades, and aims to protect EU citizens’ personal data, regardless of borders or where the data is processed. GDPR is coming into force to ensure that individuals have the right to protect what happens to their personal data.
The regulation will transform how businesses obtain, store, manage and share personal data. A failure to comply with the new rules could see businesses facing significant penalties of up to 20m or four per cent of annual global turnover.
Perhaps the most important factor of this new legislation is to ensure a business’s personal data governance processes protect the rights of individuals. In response to this, a structured and risk based data protection programme will need to be established, with all personal data processing activities accurately recorded. This obligation extends to any third-party contractors or partners working with a business and will present companies with much greater legal liability in the event of a data breach.
A survey published in January 2018 by the Department for Digital, Culture, Media and Sport has revealed a worryingly low level of awareness of the new regulation.
According to the Ipsos MORI survey of 1,519 businesses, only 38 per cent of businesses had heard of GDPR, therefore raising a concern that a large proportion of businesses have a long way to go before they will be ready to demonstrate compliance with it.
Two key aspects of readiness include:
– identifying all instances of personal data obtained, processed, stored and shared across each functional area of the business and creating formal personal data registers to demonstrate the legal basis or formal consent obtained to collect and process the data; and
– undertaking a gap analysis of current personal data governance related processes against the key requirements of the GDPR (mapped against the ICO’s 12 Steps) and creating an action plan to address resultant key gaps via the adoption of a risk based approach.
The future state-ensuring compliance with GDPR
It is generally believed at present that an organisation with an existing strong governance regime will be better placed to apply and abide with the new rules. However, there are elements of GDPR that will require further attention to ensure that compliance can be achieved when the rules are fully implemented.
Key changes from the current Data Protection Act are as follows:
– organisations will be required to report any data breach involving customer or client data within 72 hours. This will require security models to focus upon identifying, remediating and reporting data breaches rather than just preventing them; and
– there is a requirement to demonstrate that explicit consent has been obtained for all personal data processing activities.
In addition, the growth in third party storage and access also needs to be addressed. Any failure by third parties could have material consequences for the organisation using their services.
Other specific items for consideration will include the following:
– who is responsible for driving compliance with GDPR across the organisation?
– what governance procedures are in place to approve any new arrangements?
– what plans are in place to achieve compliance by the required deadlines?
– what steps have been taken to establish your current data footprint?
Strategic framework for future changes
We understand that establishing a data protection framework which is fit for purpose and future proof is a key requirement for your GDPR compliance project. The scope of your readiness plans will need to consider how to embed good data protection practices and procedures into your Business As Usual environment and to take into consideration when making changes to the business that could have an impact on the processing of personal data, including:
– establishing a process to ensure that a comprehensive, accurate and up to date record of all the personal data held, including its location, origin and whether arrangements are in place for it to be shared with third parties;
– assigning a data owner and ensuring regular data audits are undertaken to capture any changes;
– establishing a process for Privacy Impact Assessments;
– establishing a process for Privacy by Design;
– procedures for ensuring annual data protection refresher training is provided to relevant staff and new joiners;
– procedures to include guidance on breach detection, reporting and investigation (including identifying the types of data held that fall within the breach notification requirement);
– updating the Information Security Breach Policy and process for managing personal data breaches;
– establishing a process for reviewing and updating data protection related policies and procedures to ensure that they remain relevant to the business and continue to comply with any changes to the legislation.
For more advice or information on compliance with GDPR, please contact Sheila Panchioli at sheila.panchioli@rsmuk.com or your usual RSM contact.
