If you haven't complied with GDPR data protection rules, you're late. But there's still time to act.
Share this article
By now, all companies will have heard of the GDPR. This fast-approaching piece of European legislation marks something of a sea-change in the way data is regulated, ripping up the existing rule book in establishing new requirements and imposing potentially hefty fines.
For the most part, data privacy is seen by businesses as being a technological problem, addressed by technological solutions. And, increasingly, firms are putting their faith – and reputations – in quick-fix technological solutions on the market that claim to offer a shortcut to compliance.
In fact, over the last few months, there has been an explosion in the number of technology vendors operating in the data privacy-related market. In January 2017, for example, the International Association of Privacy Professionals’ (the “IAPP”) Privacy Tech Vendor Report listed 51 such vendors.
By the fourth iteration of the report, that figure had nearly doubled: from 51 to 99.
Technology can of course be useful. Enabling organisations to undertake important compliance steps such as data mapping, reviewing consents and scanning websites for monitoring technology, such solutions clearly do have a role to play. The problem, though, is one of overreliance.
This can be extremely dangerous; technology should not be seen as a silver bullet allowing organisations to become “GDPR-compliant” overnight.
As was set out by the UK Information Commissioner, Elizabeth Denham, in a speech to the Institute of Chartered Accountants earlier this year, the GDPR is all about understanding the risks posed by a company’s own data processing activities and being accountable for the measures taken to minimise those risks.
Compliance is absolutely not a box ticking exercise, and there are no “one-size-fits-all” or “cookie cutter” solutions.
However, regulators will be keenly watching those organisations who seek to rely too heavily on technological fixes alone and do not fundamentally have a working knowledge of what data they collect, how it is collected, where it is stored etc.
There is no substitute to devising a comprehensive compliance plan. If firms are to avoid betting the farm on the risky option, what can they be doing?
Organisations need to ensure that they have robust policies, procedures and processes in place. Under the GDPR, regulators can impose heavy fines of up to €20 million or 4% of global turnover, whichever is higher. Also, even if fines are not substantial, organisations could still incur reputational damage as a result of an enforcement notice. Consumer confidence is key, after all.
Technical solutions can and should be implemented alongside a genuine and robust compliance programme. Organisations might consider prioritising the following as a minimum:
- Get senior management buy-in.
As Elizabeth Denham explained in her “GDPR messages for the boardroom” vlog, the GDPR is a “boardroom issue”. Fundamental compliance steps such as data mapping require the co-operation of many stakeholders, including Human Resources, Marketing, Finance and IT. In many organisations, this can only be achieved with the support and sponsorship of senior management.
- Employ the right people.
A GDPR compliance project team should draw on a broad range of experienced individuals, not just those in the IT and legal departments. Organisations should ensure that they have the right people in place to achieve clear compliance aims. In some cases, organisations may need to hire a Data Protection Officer.
- Train your staff.
All staff should be aware at some level of data protection law. Policies and procedures cannot prevent human error, although thorough training can help minimise the risk posed by those processing personal data. In particular, staff must be aware of how to report a personal data breach and the importance of doing so immediately.
- Understand data protection “by design and default”.
The principle of ‘data protection by design and default’ requires organisations to build data protection into their products throughout their lifecycles, rather than addressing data protection as an afterthought.
These principles will again need to be communicated through clear policies and effective training. Product development, creative and marketing teams should all be made aware of these new requirements.
- Think about how you will respond to a breach.
The GDPR requires organisations to have technical measures in place to detect a data protection breach.
Organisations should think about how they would respond to a suspected breach and ensure adequate policies are in place. Larger organisations may look to identify external providers, such as law firms and security consultants, who will assist where required. Cyber breach insurance policies may also be required in some cases.
- Set up an accountability framework.
Compliance efforts will not end on 25 May 2018; the GDPR requires ongoing reviews and audits to ensure compliance efforts keep up with any changes to the way an organisation operates.
For those businesses who have yet to consider their obligations, the advice is to start thinking about compliance under the GDPR as soon as possible.
Not only will compliance be crucial for retaining customer trust it will also avoid being made an example of in a way that will hurt not only your reputation, but also your bottom line.
Many companies mistakenly believe that they need to be compliant come 25 May 2018, however, as the Irish Commissioner recently went on record as saying, this is in fact a mistake – companies need to be compliant on 24 May 2018 as enforcement action begins the day after.