If your organization missed the deadline for implementation of the Regulation, what are you doing now?
Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.
In a recent GDPR survey many large organisations and almost 80% of small and medium sized organisations admit they are not ready or don’t understand GDPR.
GDPR looks at all data from the perspective of the data subject or ‘Natural Persons’ per the terminology of the regulation. This puts the needs of the data subject first.
The Regulation forces us to change our approach to how we treat personal data and, until there are court rulings, we will not have complete clarity on the set of validation rules.
In the intervening period, we should consider looking at GDPR in the way that Working Party 29* of the European Commission intended – as a holistic approach to protecting personal data with the interests of the individual at its core. In the Regulation, there is a concept of ownership and bestowing rights and responsibilities on those we share our data with.
In the longer term whether the concept of ownership is compatible with the growth in the digital economy is questionable and will undoubtedly be the subject of much discussion.
Complying with GDPR is about managing information risk and needs to consider the following trio of risks across all facets of an organization:
One of the major issues organisations and their auditors have had with the previous Data Protection Act was that it was primarily viewed as an IT problem to be solved with technology.
The articles that make up the GDPR make it clear that it is a people and processes problem and that by raising awareness, adequate training and developing robust processes the requirements of the GDPR can be adequately satisfied. There will be technology solutions that help with storage, processing, retrieval, transmission and security but their primary role is to help facilitate business operations in a secure and efficient manner, not guarantee compliance.
While some organisations are well on the way with their compliance journeys, others think they can fly under the regulation radar. The truth is that organisations of every size - not just corporations - must be GDPR ready.
This is because the new Data Protection Act 2018 - the legislation that brings General Data Protection Regulation (GDPR) into UK Law - is not simply a rebranding of the existing Data Protection Act, but a major overhaul.
The old laws were well past their sell-by date. GDPR aims to make sure we are all protecting the personal data we collect, so ignoring this legislation represents a very real risk to your business.
GDPR ready - an opportunity to get ahead?
All businesses are likely to collect and share information about citizens and residents of the EEA. They can be part of other, larger companies’ supply chains and are expected to comply with their customers’ standards of information management.
An investment in being GDPR ready and meeting the higher standards of data management brings benefits for every business. When you help your client to protect their customers’ data, this builds greater levels of trust. In the long run, if you make compliance part of your everyday ‘business as usual’, you will be at a distinct advantage over businesses which cannot adapt to meeting GDPR standards – or the evolving standards of their customers.
Companies which understand and accommodate these new rules will also enjoy more accurate data, better data security and other competitive advantages.
What’s in your data?
All companies, regardless of size, store and handle personal data, and are subject to GDPR rules.
The GDPR requires organisations to clearly inform the data subject of the information they collect from them and on what legal basis. The first principle under Article 5 states:
- Data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Organisations need to ensure any data they collect is protected from unlawful access and use, as defined by Article 32:
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Organisations also need to understand and record exactly what individual pieces of personal data they collect process, store and share. In simple terms this means that all organisations are required to create what is known as ‘Records of Processing’ which is referred to under Article 30:
- Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.
Records of processing must include:**
- Name and contact details of the organisation
- Purpose and description of processing: an overview of the types of processing that take place, with a description of the types of personal data processed
- Categories of data and retention schedules: an overview of the types of personal data processed e.g. sensitive, protected characteristics etc. and the retention periods for each type of data
- Third party transfers: a register of any third party transfers that take place, including binding corporate rules and transfers to third parties outside of the EU
- Technical and organisational measures: organisations may refer to control frameworks such as ISO 27001 to demonstrate a baseline level of security compliance.
In compiling your ‘records of processing’, it is important to consider that GDPR differentiates between ‘personal data’ required to enter a contract which will be freely given and necessary for the performance of the contract and data provided under consent that is given for a specific purpose to receive marketing material or access information contained on a website.
There is also ‘sensitive personal data’ - which is often collected, but not actually required by a business as it fulfils its contract with the customer. Sensitive personal data poses more risks under GDPR and includes political affiliations, sexual orientation, medical history and family details.
Organisations other than government or health, for example, must have specific, justifiable reasons to collect and process sensitive personal data. These may relate to a record of criminal convictions when working with children or the employment of individuals with specific medical needs. The GDPR lists ten specific conditions; to justify processing sensitive data, at least one must be met.
Six steps to be GDPR ready
- Get your people up to speed. Ensure everyone in your organisation understands the principles of GDPR, how it affects the data they handle and the policy and procedures you have in place. Following the implementation of the GDPR in May, anyone can now call your organisation and ask for specific information you might hold on them. Make sure you have a process in place and your employees know what to do.
- Review your contracts. Do you outsource payroll, marketing or computer systems? It’s time to check that your external partners are taking GDPR seriously.
- Do a data audit. Look at what data you hold – and why. Record the steps you take to be compliant, including installing data security and refreshing information to maintain accuracy. Only collect and store the minimum amount of personal information necessary for your intended purpose (and if your legal basis is customer consent this must be recorded).
- Put processes in place to ensure that you retain the personal data no longer than is necessary for the performance of the contract, activity or to comply with existing legislation or sector regulations.
- Be transparent. Explain why you collect data and where you’re sharing it – as well as how people can contact you if they have requests or concerns. This will help inspire confidence and trust with your customers.
- And when something goes wrong… Know what you will do in the event of a data breach or information request and make sure your people are fully trained. Having a plan in place will ensure you can comply with the 72-hour notification timescale and save your business time and reputational damage.
If, as an organisation you have systems and process in place or a coherent plan where you are putting them in place then in the event of a breach the ICO may look kindly if you have done nothing then a significant fine is likely.
GDPR and audit
Auditors concerns relate to two primary areas:
- How do we conduct a GDPR audit?
We consider the seven GDPR principles as laid out in Article 5 and adjust our audit plans to ensure that through a range of audits we consider the GDPR impact. We can obviously undertake a GDPR readiness review in line with the principles of a programme and project management audit.
- How does the GDPR affect our record keeping?
This is more complex and depends on our relationship with our auditee, if we are an internal function then our role should be governed by the organisation’s GDPR Framework.
If on the other hand, we are an outside body then we will need to ensure that our letters of engagement/contracts with our clients include a data processing addendum, and ensure our audit process includes a ‘records of processing’.
This is relevant for two key reasons:
- working with our clients to ensure compliance with individual’s rights in respect of their personal data
- the ability to work with our clients in the event of a data breach. If the auditors suffer a data breach then we need to be able to inform our clients within 72 hours of discovering the breach where there is an impact.
As a rule, auditors should not collect personal data in the normal course of an audit and any data that is collected should be afforded adequate protection.
* The Article 29 Working Party was the advisory body made up of representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. On 25 May 2018, it was replaced by the European Data Protection Board under the EU General Data Protection Regulation.
** Organisations with less than 250 staff do not need to maintain records of processing activities for all activities, only those considered to be of risk to the individual or where sensitive categories of data are processed.
About the author
Steven Connors, partner, HW Controls & Assurance
Steve is a GRC specialist working with clients across a range of sectors to help them deliver value from their information systems while at the same time ensuring that the data remains secure.
Steve has been assisting organisations to take a pragmatic approach to compliance with GDPR by challenging them to consider how compliance can drive business value. Steve joined Haines Watts in 1995 and through roles in industry and consultancy, he has gained extensive experience of information security, risk management, corporate and IT governance, business process re-engineering and business intelligence.