GDPR – A Practical Guide

 

A new era in data privacy

On 25 May 2018 the EU General Data Protection Regulation (‘GDPR’) comes into effect with profound and globally reaching implications.  With only a year to go, firms need to take this seriously.  This paper explores the key changes and practical implications.

The Headlines

Data Protection Officer – a DPO is required for all organizations with more than 250 employees. Firms will need someone with the appropriate skills and training to help navigate the complex legal and regulatory environment and translate this to practical business and technology requirements.

GDPR is the biggest shake up of EU data privacy law in decades, replacing the current patchwork of rules to better protect the personal data of EU citizens.  The new law will provide a single, harmonized gold standard that is fit for the digitized society of the future.

No firm can ignore GDPR.  GDPR has extra-territorial reach so, if your firm holds or processes personal data of EU citizens, regardless of location, the law will apply.

The financial penalties for non-compliance are high.  Regulators will be able to fine up to Euro 20mn or 4% of the parent company’s gross turnover, whichever is higher.  In addition, data subjects will be able to sue firms for unlimited compensation.

Breaching GDPR could cost your firm’s reputation.  Stringent new disclosure requirements will heighten the risk of reputational damage, with firms unable to avoid ‘washing their dirty laundry in public’.

Data privacy compliance is a traditional minefield.  The principles of data privacy are not fundamentally changing so if your firm has already been taking this seriously and is complying with existing legislation, the transition to GDPR should be relatively easy.  However, most firms will find this a steep hill to climb.

Key areas of Change

GDPR builds on the principles of existing legislation with significant changes in the following areas:

Data Protection Officer – a DPO is required for all organizations with more than 250 employees. Firms will need someone with the appropriate skills and training to help navigate the complex legal and regulatory environment and translate this to practical business and technology requirements.

Appoint a DPO.  The DPO will need to be independent and empowered and will need to partner with experts across the business to achieve GDPR compliance.

Data breach notification – breaches must be reported to the local authorities and affected individuals within 72 hours. This will require speedy and joined up co-ordination across all areas of the business.

Develop a breach communication framework and test the firm’s ability to detect, report and investigate breaches within the new deadlines.

Privacy Impact Assessments – these will be required when new technology is deployed or when projects change scope resulting in high risks to data privacy.

Update policies and procedures to include new PIA requirements and build out controls to trigger PIA’s when appropriate.

Consent – firms must use plain English and set out withdrawal of consent arrangements clearly as well as obtain parental consent for personal data for children under 13.

Update privacy notices in line with GDPR and build out processes to obtain consent for any children’s personal data.

Privacy by Design – data privacy needs to be baked into business and technology requirements at the outset, not an ‘add on’.

Update policies and procedures to include Privacy by Design and raise awareness.

Right to Erasure (‘right to be forgotten’) – individuals can require institutions to remove their personal data.

Build out systems and processes to respond to erasure requests and simulate how this will work.

Data portability – individuals will have the right to demand personal data in a machine- readable format.

Build capability to respond to portable data requestselectronic reporting.

Transparency – firms need to demonstrate accountability with clearly documented evidence of GDPR compliance.

Document compliance  – potentially massive exercise to evidence governance.

Responding to requests – firms will have only one month to comply with request timeframes and will need to do so for free.

Review impact on response teams  – streamline processes and address resource needs.

Legal basis for processing –firms need to understand and evidence the legal basis on which data is being used.

Ensure legal basis for processing is documented and understood for all personal data.

A programmatic approach to GDPR

In addition to addressing the specific areas of change set out above, firms will also need to ensure they are complying with the rest of GDPR.  This is a traditional minefield for compliance so it is likely that a holistic programme will be needed to ensure compliance.  

Senior management engagement.  Raising awareness and gaining buy-in across key decision makers across the business is an essential first step.  GDPR needs to be a Board-driven priority, with appropriate funding, resourcing and senior business engagement.  GDPR is not just an IT security issue.

Inventory.  Identify and document personal data that the firm holds eg its origin, consents held, who owns it, who controls it, basis of holding it, where it is shared and where it is stored.  This may require an information audit.

Gap analysis – map current compliance to GDPR requirements and assess vulnerabilities.  This analysis needs to include the entire supply chain so third party contracts and processes need to be in scope.

Risk assessment – set out the cost-benefit analysis of addressing gaps.  A disciplined approach is essential so that you only collect, buy, process, store and protect the personal data that offers the most value.  Decide what data you no longer need and delete it.

Action plan – develop a roadmap for compliance, with clear milestones for the business, technology, governance, operations, legal, HR etc.  This may require a rethink of your privacy, security and data governance strategy.  Secure budget, resources and business sponsorship.

Implementation – enhance or establish business as usual policies, procedures and controls to protect, detect and respond to vulnerabilities and data

Conclusion

Compliance with the GDPR is not optional, it is an ethical and moral imperative that should be attracting a high level of Board level scrutiny.  Getting it wrong could attract massive financial penalties and even worse, damage reputation.  Firms need to set aside the fears, roll up sleeves and embrace the change.  On a more positive note, getting data privacy right is a business enabler, building brand resilience, differentiating against competition, inspiring trust and confidence and securing customer loyalty.  It needs to be woven into the very fabric of the business

Want to know more?

Temple Grange Partners have developed an approach to guide firms through the key GDPR considerations and can provide skilled data privacy experts and programme managers to help drive your GDPR response.  Please contact us if you would like to hear more.