Keep calm and carry on...
100 days to go to GDPR – 3 steps to GDPR compliance
With the GDPR now less than 4 months away, chances are that like many others, your company is not yet prepared. GDPR had a 2 year implementation window but now organisations have 100 days in which to deliver a 2 year programme. Don’t panic but do get started. To help you we have put together a 3 step process which will guide you on the journey. Remember 25.05.18 is the start of GDPR, not the end line – it is a continual exercise to create, maintain and update data privacy practices within your organisation to comply with the law and best practices for data privacy. Those that do it well will also get the added “competitor advantage” bonus.
What are your GDPR risks:
So, what probably won’t happen: The ICO is relatively small in staff number (about 200) and there are about 1.5m companies to deal with as well as 3+million proprietorships, so we are convinced that the ICO will not be knocking on your door any time soon to conduct a random audit and hit you with the big fines that have made the headlines……so long as you have got underway on the GDPR journey and no one reports you for breach. Keep calm and carry on.
What may happen: Instead we think that the main ways that GDPR will impact businesses are:
1. Data Breach – if you have one of these affecting your organisation, the GDPR spotlight falls on you and you are in Tier 1 fine territory, not to mention litigation, enforcement orders, remediation and damage to your organisations reputation, share collapse, fired board. Think what happened to Talk Talk for example.
2. Data Processor Obligations: increasingly controllers are looking to their processors to see how compliant they are with GDPR (its Article 28 if you are interested). If a processor is not able to give the appropriate guarantees, then they become a significant risk to the data controller and that’s enough for contracts to be terminated or not renewed: we have seen this happen.
3. Data subject rights: whether you think there will be a SARs epidemic or not, data subjects have the right to their data and to understand who is processing it, for how long, who has had access to it, where it is stored as well as a right to a physical copy of all the data. In most cases: Failure to comply with SARs = complaint to ICO = risk of audit = a whole lot of pain.
4. Customer Perception: finally, if you are not complying and importantly showing your customers that you are complying with GDPR then your business is running the unnecessary risk of giving the impression that you does not care about complying with law, or your customers’ data. Conversely there are plenty of studies to show that being trusted by your customer base increases your competitive advantage. So, as you have to do GDPR, you may as well do it right.
The 3 steps to compliance
There is no magic here – you have to do the whole GDPR journey: however if you are coming to the GDPR table just now, you will need a 2 pronged strategy: things to get over the line by 25 May and longer term GDPR compliance programme.
Step 1: rest of February:
(a) Assemble team (internally and externally) – this will require budget, resource and if you can get one, a Privacy expert who actually knows how to guide you. There are numerous get rich quick service providers who will charge you a fortune and leave you high and dry, so careful consideration is needed.
(b) Document as best you can your personal data processing activities, such as how the business collects, uses, shares, and otherwise processes personal data; check where you are a controller or a processor, (or both) what sort of security processes you have, what geographies you process in.
(c) Get all your data policies and notices and any data governance processes you may have. Check for certifications such as ISO27001
(d) Consider if you need (or are required to have) a DPO – a good data protection officer who understands the law and also who understands or can understand your business may be vital. Whatever else about the GDPR, it is not going away, ever, so bite the bullet and make sure you have a point person who knows what they are talking about.
Step 2 March
Conduct a GDPR Gap analysis – this process will require you to go through all your data flows, technology arrangements, security certificates, existing policies and procedures to check against existing legislation and to gap assess where the weaknesses are for the purposes of GDPR. The analysis should also make recommendations to:
· Prioritise compliance activities and remedial measures based on areas with the highest risk (this will include separating the things that have to be done by 25 May 2018 and the ongoing GDPR elements which are less of a priority /risky which may be done later);
· Create a data register to meet GDPR recordkeeping requirements (Article 30);
· Provide recommendations based upon reviews of your organisations systems and processes. For example, can IT systems and processes cope technically with the expanded individual rights such as SARs?
· Start to create and/or review existing privacy policies and procedures with clear and practical guidance on GDPR compliance. For example, an employee responsible for validating personal data when someone registers on your website must have access to any policies applicable to them performing their role effectively and within the GDPR regulation. The policies must be in plain English so that anybody can understand them
Step 3 (a) April and May
· Based on the Gap analysis complete the highest priority tasks – these are likely to be
o Identifying the key ongoing risks
o Complete constructing Privacy Notices (internal and external)
o Repapering contracts to reduce legal exposure (whether you are a controller or processor),
o Establishing a basis for data processing and cross border transfers
o Starting to build a data governance system
o Commence process for privacy by default and by design, DPIA, LIA
o Ensure appropriate technology (particularly with respect to Data Breach)
o Putting in processes to enable individual rights such as SARs delivery
o Land a DPO (or as mentioned in Step 1 get someone who knows what they are doing)
o Manage employee rights
§Create an intranet page on how you manage your workers’ personal data – this should be written in clear language that your employees can understand easily.
§Refine a method for processing any employee requests. Ensure workers know where they can issue a request, and that you know who in your HR team manages the request, as well as how it will be registered and kept track of – evidence is key when it comes to GDPR
Step 3 (b) April and May and beyond
· Build and maintain a data governance system – evidence is key when it comes to GDPR
· Perform data protection impact assessments, along with data protection by design and by default
· Prepare for PECR
· Complete privacy by default and design processes
· Configure systems and put in place processes to accommodate data subjects’ rights, including access, rectification, erasure, portability, objection to automated processing and revocation of consent
· Create enhanced solutions for Security Breach
· Establish communication channels with the DPA (data protection authority)
Remember – these are the big ticket items – there will be more, particularly when the ICO provides more guidance and the courts have given their guidelines and judgments. The GDPR is a continuing processes which starts on May 25, 2018, after which it will become part of daily life.