In the confusion that is Brexit, one thing is certain. Come May 2018 the EU's General Data Protection Regulations (GDPR) will test your organisation like never before. Effective, expert collaboration, led from the top will make the data-protection revolution painless, and even profitable.
With customer data heralded as the 'new oil', a precious commodity on which businesses rely to grow and innovate, many are forgetting its volatility. From record fines, reputational fallout and prospective new levels of personal liability, data is precious. That means its protection is the business-critical issue of our time.
Does Brexit mean a free pass on GDPR?
However negotiations play out, if the UK wants to do business in Europe it will have to adopt regulation as rigorous as GDPR. The new Data Protection Bill, likely to become law next year is set to adopt the standards of GDPR. There is no free pass.
If the UK takes this path, the punishment for breaches will be severe - fines of up to 20 million Euros, or up to 4 per cent of worldwide annual turnover, whichever is higher.
Start with your teams
GDPR is here to stay and time is running out to understand its impact on your organisation. For example, no longer will organisations be able to assume consent to collect data. GDPR will demand consent to be active and demonstrable, with a clear audit trail. You'll also have to react swiftly and thoroughly to requests to remove, erase or rectify personal data.
Are your systems ready for these most basic requirements? Are your staff trained? Are departments working together?
Legal: Your legal team will be the first of your players to grace the GDPR pitch . Not only will they interpret the new law for your organisation, they will oversee new obligations such as GDPR-compliant contracts with your third parties suppliers.
Under GDPR third party data-processors (such as cloud storage providers) will have to comply with more stringent data-protection requirements. GDPR will now place onus on data controllers to ensure their processors meet this mark before they use their services.
Compliance: Unsurprisingly, GDPR prescribes clear tasks for compliance teams; production and assessment of policies and procedures, monitoring, auditing and training. Is your team structured so that they work seamlessly with legal to understand this new world?
IT and Information Security: A mission statement of GDPR is 'data protection by design and default'. Your IT team will need to live by this motto, and translate your legal and compliance teams' strategy into play.
For future installs, GDPR-readiness should come as standard. What about historical systems? These regulations presume organisations know exactly what data they hold, and where.
This is potentially biggest challenge for businesses. Extinct, abandoned systems, files in storage; without properly audited data how can an organisation comply with requests by individuals to be 'forgotten'? How will they know when data has been lost or exposed if they don't know where it is to begin with?
This may not be a new problem. But it should be a priority.
Compliance is collaboration
In many organisations, the CEO will still think this is a compliance issue, and it can be left to them to sort discreetly. Consider multi-million fines, irreparable effects on reputation and the potential for personal liability (under the Data Protection Bill), and it's clear the potential risk demands a collaborative effort, led from the top to mitigate.
The CEO needs to break down any idea that Legal, Compliance and IT can work in isolation. This may require significant cultural change. If you're sat at the board table, how will you help make that shift?
Consider a Data Protection Officer
Under GDPR all public bodies, and some private entities will be required to appoint a dedicated Data Protection Officer (DPO) who will have statutory duties to ensure compliance. In most cases they ought to report directly to the board.
For those that are not legally obligated to appoint a DPO, they should seriously consider doing so.
The value to your organisation of having a single conduit of collaboration, and voice to the board could be invaluable. This position could be the star player that captains your teams to compliance.
The six month count down - what to do right now
- Undertake an immediate review of the data that your organisation is processing
- Can any data be psuedonymised? If so, do it. Anonymised data does not come under the rules of GDPR but seek advice if you want to translate it back to a useable form
- Where is the data and where is it going? Data controllers need to ensure that if data crosses borders, the destination jurisdiction has adequate regulation.
- Review your processes for data breach notification; Do your systems tell you when issues occur?
- Carefully review the contents of contracts; do you need a data protection impact assessment? Where data is high risk, such as information regarding children or health you may be required to perform a data protection impact assessment. Start this now!
- Carefully review your relationships with processors if you are a controller. You are required to perform due diligence to ensure controllers are also GDPR-compliant.
- Train your workforce:
- Identify or recruit a Data Protection Officer
- Do you have adequate processes in place for employees to handle a serious data breach? We only need to look at the NHS and Wannacry to see the impact of outdated systems
- Are you contracts of employment and/or contracts with sub-contractors compliant with GDPR?
- Are you giving employees the correct information? Consider significant investment in communications to employees across the board
GDPR, for the greater good?
Let's not forget, GDPR actualises the principal that an individual's personal data is sacrosanct.
Any legitimate business should already have a core principle of protection and fair treatment of personal data. As the first EU-wide, enforceable regulation, GDPR is positive.
Data protection has been too low on the list of priorities, with individuals unaware of the ways their data is used and shared. Organisations that lead the way in this new world will not only ensure legal compliance, they will be seen as champions by the consumers who trust them with this most precious of commodities. By being ready now, you'll not only comply. You'll thrive.
Dean Armstrong QC, Consultant Barrister, Setfords Solicitors
The framework has suffered from security flaws, including being used to create false clicks
An official announcement is expected soon
Issue demonstrates the importance of digital rights management
Good phone, shame it's so ugly