As the May 25th deadline for the European General Data Protection Regulation (GDPR) looms closer many organisations still haven’t made the internal changes required by the new law. For those who haven’t yet faced up to the impact of GDPR, a good starting point is to understand how the 7 Principles of this new regulation affect their business. The challenge many have found is that there is not ‘one size fits all’ when it comes to GDPR. Every organisation will have different requirements. That’s why it’s recommended that organisations urgently carry out a self-assessment to gauge their own level of compliance, which considers their own unique circumstances. Here are some of the questions organisations should ask themselves:
- Has all the personal data being held, where it comes from, how it’s processed and who it has shared with been documented?
- Are lines of accountability clearly documented should there be a data breach?
- Has a lawful basis for the processing been identified and documented? If not then has consent been obtained from the data subjects?
- Is there a process to securely dispose of personal data that’s no longer required?
- Do staff receive data protection awareness training, and do they know what processes to follow to identify, report and resolve data breaches?
- Do we carry out internal audits to monitor our own compliance with data protection principles?
- Have appropriate technical and organisational measures to protect data during processing been implemented?
- Do key people in the organisation demonstrate support for data protection?
- Can we respond to a data subjects request to see the personal data we hold about them?
The ICO, the UK’s supervisory authority, are providing assistance by making a self-assessment tool available on their website. This can help both data controllers and processors to identify compliance gaps and provides recommended actions. After carrying out a self-assessment, organisations need to draw up a plan for tackling the compliance gaps identified. As can be seen from the above questions, high on the list of priorities is documentation. Documentation needs to exist that details the processes and policies to be followed, and as evidence that those processes are being followed. This is because, in the event of a data breach, auditors from the supervisory authority will be looking for documentary evidence that shows how organisation has tried to comply with GDPR. Such evidence could significantly reduce the likely penalties. The level of detail required will depend largely on the sensitivity of the personal data held, and likely risk of a breach. For example, in the case of highly sensitive data, a full Data Protection impact assessment should be carried out to understand and mitigate the risks. If companies are diligent in their efforts to protect personal data, and thereby protect the customers themselves, then Elizabeth Denham, head of the ICO, has some comforting words.
‘You will know by now that, while I am never afraid to use the stick in the cupboard, I prefer the carrot.
Education, engagement, encouragement, – they all come before enforcement.
I have said many times that we are a pragmatic regulator and that hefty fines will be reserved for those who wilfully or persistently flout the law.’
GDPR is challenging companies to put their data protection house in order, but the benefit of GDPR is that it forces companies to better understand their own processes and improve internal governance. This can lead to greater efficiencies and transparency, which can ultimately help to restore trust in big corporations that has steadily been eroded by every new revelation about misconduct and abuse of power, not to mention poor customer service. Organisations that are looking for ways to avoid GDPR should instead start embracing it as a way to restore customers trust.
Mark Jenkins has worked in the IT industry for over 15 years as a BI and Analytics consultant, and more recently as ROC Product Manager for Subex Ltd. He has designed and deployed solutions for global companies in many sectors including Insurance, utilities and telecommunications. Mark holds a BSc Hons in Computer Science from Manchester University (UK).