TRANSACTION FOCUS AND APPROACHES TO ACHIEVING COMPLIANCE WITH THE PROVISIONS OF GENERAL DATA PROTECTION REGULATIONS (GDPR)
Background
GDPR is about 2 years old and has been a legal requirement for all UK and EU businesses for the whole of that time and from 25TH May 2018 will be enforced with a system of fines and penalties by the Information Commissioners Office(ICO).
The maximum fine for a breach of the regulations is a fine of 20 million Euros or 4% of global turnover whichever is greater with a 2nd tier penalty of half that amount for slightly smaller firms.
The ICO currently lacks the budget for staff to tackle the smaller UK firms out of the 6.5 million registered at Companies House,Cardiff but will use fines from large high profile cases to gradually expand its work of policing the regulations and fining companies who are otherwise beyond the reach of HMRC through cleverly constructed offshore arrangements.
Obviously the ICO cannot be too harsh on SME’s because there are 1.8 million “zombie companies” which are in breach of their banking covenants and many fledgling “unicorn” start ups which, if fined too heavily would be put out of business with their staff turned into benefit recipients unable to contribute to the country’s tax revenues.
The official rationale for GDPR is the protection of people’s data ,the ability of consumers to resist “spamming” and unwanted unsolicited approaches from marketing companies and a “right to be forgotten” subject to certain requirements being met regarding the public interest.
Breach Procedure
Any breach has to be reported to the ICO whether accidental, inadvertent or otherwise within 72 hours and this applies regardless of staffing levels, weekends, Bank Holidays, Half Terms or people being ill.
If Directors “take the company down” on the advice of their accountants or of their own volition in an attempt to evade ICO mandated penalties then the ICO can go through the “corporate veil” and pursue individual directors either for not dealing with known risks properly as they have been required to do since 2006 following the Turnbull Report or it can be brought into the orbit of the criminal law as the ICO Commissioner has suggested might be the case with Cambridge Analytica which was “taken down” prior to “Phoenixing” under a new name.
Structure
GDPR has 11 Chapters and 99 Articles and runs to 133 pages.
It has 6 privacy principles which are contained in Article 5.
These are:
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
Whilst these 6 principles seem to mirror the scope of the existing Data Protection Act, GDPR applies much more broadly which means that existing compliance programmes have to be updated and that what is currently in place is no longer sufficient or fit for purpose.
GDPR creates a need for organisations to map their data flows and conduct or have completed Data Protection Impact Assessments.
These must at least cover the following desired outcomes:
– A description of the data processing and its purposes
– The legitimate interests you are pursuing with the data processing
– An assessment of the necessity and proportionality of the processing
– An assessment of the risks to the rights and freedoms of data subjects
– The measures you envisage to address the risks
– All of the safeguards and security measures to demonstrate compliance with the regulation
-Indication of timeframes if the processing will include the erasure of personal data
– An indication of any data protection by design and default measures
-Compliance with approved codes of conduct
-Details of whether the data subjects have been consulted and have consented
As can be seen ,organisations and businesses will have a great deal of work to do to restructure processes and systems to comply with GDPR and they will need to appoint a Data Protection Officer or have appropriate consultancy and advice including from the ICO website’s guidance notes, to become compliant.
Beyond these steps GDPR will have to be incorporated into risk management plans as an additional element of risk which must be carefully considered by the board and minuted along with all other categories of risk
Achieving Compliance
For large businesses which have not already done so there will be a need to appoint Data Protection Officers and possibly teams of such people, dependant on the extent and complexity of the work which will of course be ongoing.
Unlike normal employees you will not be able to dismiss these people as they fall into a ring fenced protected category
Preparing Now For GDPR
The ICO has provided a 12 step checklist highlighting what needs to be done to ensure compliance by the 25th May 2018, just 15 days away as of this writing.
The 12 points deal with:
- Awareness
This means ensuring that decision makers and key people are aware that the law is changing and for them to appreciate the impact that this is likely to have and identify areas that could cause compliance problems under GDPR
- Information You Hold
This means documenting what personal data you hold, where it came from and who you share it with.
You may need to organise an information audit across the organisation or within particular divisions, functions and business areas of operation
- Communicating Privacy Information
You should review your current privacy notice and put a plan in place for making any necessary changes in time for GDPR implementation
The ICO’s code of practice covers what form you need to adhere to.
- Individual Rights
Under GDPR these are enhanced beyond those of the current Data Protection Act to include the following:
-Subject Access
-To have inaccuracies corrected
-To have information erased
-To prevent direct marketing
-To prevent automated decision making and profiling
-Data Portability
- Subject Access Requests
You should update your procedures and plan how you will handle requests within the new time scales and provide any additional information.
- Legal Basis for Processing Data
This means looking at various types of data processing that you undertake and identify your legal basis for carrying it out
- Consent
You should start thinking about and review how you are seeking, obtaining and recording consent and whether you need to make any change to ensure that you have an effective audit trail
- Children
You should start thinking about putting systems in place to verify individual ages and gather parental or guardian consent for data processing activity
Privacy notices have to be written in language children understand and consent must be verifiable
- Data Breaches
You should ensure that you have the right procedures in place to detect and report data breaches of a personal nature
Larger organisations need to have policies and procedures for managing data breaches at central/local levels and bear in mind that failure to report a breach w within 72 hours can result in a fine as well as another fine for the breach itself
- Data Protection By Design and Data Protection Impact Assessments
You should familiarise yourself now with ICO guidance on Privacy Impact Assessments and work out how to implement them in your organisation
You should assess the situations where it will be necessary to conduct a DPIA and decide who will conduct it who else needs to be involved and where the process will run from
- Data Protection Officers
You should designate a Data Protection Officer, if required ,or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements
- International
If your organisation operates internationally you should determine which data protection supervisory authority you come under
ISO 27001 AS A TOOL TO SPEED UP GDPR COMPLIANCE
This is an internationally recognised management system standard or information security management which describes the requirements of an information security management system based on established best practice
It is sector agnostic, does not favour any one technology or solution and can be used by organisations of any size.
It sets out requirements for what must be done to secure information but provides scope for organisations to determine how they implement the requirements to meet their organisational objectives and risk “appetite”
Structure
At the top level there are 7 main headings:
-Leadership
-Context
-Planning
-Support
-Operations
-Performance Evaluation
-Improvement
The approach to risk mirrors that of GDPR and overall the ISO 27001 standard offers a 75% solution to GDPR compliance leaving companies and organisations with the 25% that remains.
Transaction Focus has arrangements in place to assist companies and organisations with GDPR proper and through sole provider arrangements for ISO 27001 with a proven internationally recognised supplier of standards that operates throughout the UK and the world
https://www.youtube.com/watch?v=2Tkn9q2ZNKk
©Transaction Focus is registered in England & Wales No.5241180
ICO Registration Reference No. ZA003579