How to ensure a GDPR response that won’t put you at Risk
General Data Protection Regulation (GDPR) is coming and it’s important.
From 25 May 2018 all firms processing data of data subjects who reside in the EEA, (irrespective of where the firm is located) need to be ready. Those who aren’t taking it seriously need to and those that are, need to be sure that their response is robust.
With direct lines of accountability back to individuals and fines of up to 4% of global turnover or £20,000,000 (whichever is greater), getting it wrong simply isn’t an option companies can afford.
This may lead firms to question:
How do I ensure I have the right procedures in place?
How can I bring in the right expertise?
How quickly can I bring someone in?
Who can be trusted to provide the talent?
Are there alternatives to the ‘GDPR expert’?
Danos Associates and through our consultancy side of the business, Danos Consulting, working together with our strategic partners K&E Consultants can offer both long term and short term solutions.
We have a unique relationship with experts within Risk Governance. This allows us to screen candidates at a higher level prior to presenting them for interview – a massive save on time for our clients as they have already been pre-screened. This adds a significant level of trust to the process.
Speed is of the essence with recruitment and even more so with consulting and having an established network of experts, practitioners and project managers allows us to fulfil challenging roles – quickly and cost effectively.
When is comes to security around GDPR we can help:
We can put in a Project Manager to lead GDPR projects as well as other contributing roles.
We can put in teams to review GDPR projects and provide SME advice and support.
We can help you make sure you have the wider teams to support programmes such as this with ongoing Data Security, Privacy and Governance Experts and Cyber Risk specialists.
As specialist Risk recruiters and consultants in the Financial Services Industry we have seen huge increases in the desire to hire GDPR specialists across the board. In fact, from the 6 months to the present date in London alone there are 979 GDPR related roles advertised.
This compares to 102 in the same period in 2017 and a mere 3 in 2016.
Job Vacancy Trend in London
Job postings citing GDPR as a percentage of all IT jobs advertised in London.
This can often lead to a competitive market place but we have permanent and consultancy staff ready and waiting to go.
Please do contact me if you’d like to discuss how we can support you.
+44 (0) 20 3889 5757
What is it?
The EU GDPR was designed to harmonise data privacy laws across Europe and to reshape the way organisations across the region approach data privacy. It is an essential step forward in enhancing the privacy and security of personal data. It has been described as “Data Protection on Steroids”.
Focus will undoubtedly be on the sanctions that will apply when failing to comply – up to 4% of annual global turnover or €20 Million (whichever is greater). Clearly this will be for the most serious of breaches but firms may still find themselves facing a fine of 2% for not having adequate records, not notifying the authorities of a breach or not conducting impact assessments.
The conditions for consent to use a subject’s personal data has been strengthened. Reliance can no longer be placed on standard terms and conditions. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language and setting out the purpose for the data processing. It must be as easy to withdraw consent as it is to give it.
Firms will be obliged to notify the authorities of a breach which is likely to result in a risk to individuals. That notification must be made within 72 hours of becoming aware of the breach.
Data subject rights
Extensions to the individual’s rights include greater access to the data that is being processed, including where and for what purpose, and the right to be forgotten or data erasure. The latter can involve preventing further dissemination of data, prevention of third party processing of data as well as withdrawal of consent.
Key considerations for firms
Under the GDPR, the data protection principles set out the main responsibilities for organisations. There are 6 Principles and an accountability principle.
Personal data shall be:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary;
- processed in a manner that ensures appropriate security of the personal data.
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” – Article 5(2)
Some questions firms may wish to ask themselves when assessing their compliance with GDPR include:
- Is the firm a data controller, data processor or both?
- Who is responsible and therefore accountable within the firm? Do you need a data protection officer?
- What data is held? Where, how and for what purpose? Is it still required?
- How is the data used, by whom, who has access to it and should they?
- Who is the data shared with? How is this controlled? Can access be removed or data retrieved and/or deleted?
- Is IT security up to date and robust?
- Are policies and procedures clear and effective?
- How is privacy information communicated to data subjects? Is it provided in concise, easy to understand and clear language?
Steps firms should be taking
- Risk assessment. Based on the nature of the business and its role as data controller, data processor or both, it is essential to understand the potential risks to individuals. The risks should be evaluated, classified and mitigation adequately evidenced.
- Data mapping. Documenting what personal data is held and the lawful basis for holding and processing; how it is used and with whom it is shared. Data flow maps and data lifecycles should be produced. If data is inaccurate and has been shared externally, it is the firm’s obligation to ensure that the other organisation is notified so that they can change their records.
- Communication and disclosure. A review of how the rights and obligations are communicated to data subjects, including the process for consent and withdrawing consent. A review of existing consents to ensure they comply with the new requirements or obtain new consents. Firms should ensure they are clear upfront when collecting data how that data is to be used and then ensure that they operate in accordance with this. Where third parties are used, this should be disclosed.
- Policies and procedures. A review of existing policies and procedures and introduction of new policies and procedures which deal with personal data, including but not limited to:
– data capturing and storing;
– recording of consents and process for withdrawal of consent;
– data access requests;
– rectification of data or data erasure;
– data sharing with third parties;
– record keeping and data retention policies.
- Also procedures for identifying breaches, dealing with a breach, roles and responsibilities and notification process.
- IT security. A review of IT security including resilience testing; access rights; portability of data; fraud prevention and vulnerability scanning.
- Awareness and training. Ensuring all staff are aware of the changes, policies and procedures and roles and responsibilities.
The Information Commissioner’s Office is the authority in the UK responsible for upholding information rights and has useful information and tools available to firms’ implementing GDPR. ICO.org.uk