Strong fines and far-reaching provisions mean compliance with the GDPR is vital
Are you ready for the EU General Data Protection Regulation (GDPR)?
Many have heard of this, but how many are prepared for it? The deadline for compliance, 25 May 2018, is now looming and any business with EU customers, and this includes UK customers regardless of Brexit, needs to be alive to this. This regulation will give our national data regulator, the Information Commissioners’ Office (“ICO”), the responsibility and legislative powers to ensure it is complied with – turning the pussycat into a lion!
The striking change in the new regime is that if firms are found non-compliant after May 2018, it could be very expensive and with serious consequences. Aside from the reputational damage, maximum sanctions set within the legislation for serious breaches are as high as €20m euros or 4% of annual global turnover whichever is the greater. The ICO will have the power to fine at these levels to ensure an ‘effective, proportionate and dissuasive’ sanctions approach and after implementation it may well be keen to send out strong early messages using these new sanction powers.
A few hefty fines for material breaches would certainly bring clarity of purpose to those still dithering over their data protection governance and controls. To use a recent example, TalkTalk were ‘disappointed’ when they were fined £400,000 in 2016. Recalculate that fine under GDPR and it could have been around £70m. A sobering thought.
Unfortunately, the value at risk is not just the monetary value of the ICO fines. The risk of class actions by data subjects, which are now allowed, and the value of pecuniary and non-pecuniary compensation claimed by those affected, is also a matter for serious consideration by senior management teams.
As with all regulatory compliance, it is not just a case of being compliant but being able to demonstrate compliance. In this regard, documentation is essential. The following are some key aspects of the regulations to be considered.
Senior leadership & compliance with the GDPR
- Ensure the Board has been informed of the possible impact and risks of this regulation and has documented its approval for a properly resourced project to identify and implement changes.
- Document the decisions on who is to be the key compliance lead and owner of the associated risks. Begin to structure the governance framework for your data protection compliance going forward.
- Someone within the IT department may be chosen as the overall lead but it is vital that they do not try to implement changes without proper project governance. Stakeholder management protocols should be strictly followed to ensure that on-going business ownership of risks and new procedures work effectively.
- Identify other stakeholders eg suppliers, data processors, corporate partners etc. Get talking to them. Consider sharing data protection impact assessments under the allowed conventions.
Data processes & compliance
- All processes that involve personal data should be identified and mapped to build the required Data Activity registry (Article 30).
- Again, the regulations make it critical that the correct business owners are identified and so it’s sensible to involve them throughout.
Personal data & the GDPR
- Once the processes have been identified, the data within them needs to identified, including that in e-mails and new under GDPR, IP addresses.
- The data should be catalogued and categorised.
- Each piece of data collected during the business processes needs to be justified i.e. can you explain why and how it is used?
- Make decisions on the business policy for the treatment of each category eg retention times, access rules etc.
Data subject consents – important checks ahead of its impact
- Review the current consents and privacy notices in place against the revised GDPR requirements. There is a need to demonstrate that consent was freely given, specific, informed and unambiguous and that the customer provided clear affirmative action i.e. no pre-ticked boxes.
- Different categories of data or data collected by different means may need different forms of privacy notice and consent.
- Design and document a process that meets the new GDPR requirements.
Privacy by design
- Include Data protection within business protocols for on-going procedural and business changes e.g. business projects should include a data protection impact assessment as standard.
Policies & procedures
- Update and communicate all changes to staff, suppliers and business partners.
- Design, implement and test training for staff and suppliers as necessary.
- Consider training and certification options for your nominated Data Protection Officer. This role is required in certain circumstances.
Legal/contracts & the GDPR
- Update contracts to include appropriate clauses according to the type of relationship regarding data. This is absolutely critical in case of data processors.
- Review your business insurances to ensure that they are appropriate in the new GDPR world.
The revised GDPR sanctions, and the associated cost of remediation, are designed to ensure businesses take their data protection seriously. Do not get caught out. Use these changes to make positive improvements to your business and stay one step ahead of your competitors. Treat Data like any other asset – protect it and use it effectively to bring out its business value.
Please contact GDPR compliance consultants Momentum GRC here to discuss how we can help prepare your firm for these important upcoming changes.