GDPR – Wake-up Call!
After a slow start, things are accelerating rapidly towards the fall of 2017 and EU organisations are rolling out their General Data Protection Regulation (GDPR) programs. A Regulation, which will replace every data protection law in the EU on the 25 May 2018.
So far, indications are that within the EU the finance and banking sectors are in the driving seat, and in general ahead of the game when compared to other organisations that do not handle personal data as their core product. Some businesses, regardless of their focus are unfortunately making mistakes and encountering significant challenges in navigating the GDPR jungle. Product vendors claiming they can easily make your organisation GDPR compliant, further accentuate the issue. The IT and compliance team can be easy targets because they might not understand the complexity of the GDPR as well as the data protection legal team. On the other hand, the legal team would understand the complexity of the law, but might be at a loss on how to implement across the business.
Some EU organisations are addressing this challenge by creating cross-disciplinary teams, incorporating the competences of both the compliance and legal teams as part of the Privacy (Data Protection) Office function.
The following sections address some very simple questions with tips to help organisations who are keen to get started, but not quite sure how and where.
Who owns personal data?
Does it really matter? Yes, personal data is purely a loan to the controller. The data subject can ask to have it back, have it erased, with the right to be forgotten (RTBF), and even the right to request that the controller transfer, their personal data to another service provider (portability).
Why is privacy different from security?
Over and above security of personal data, GDPR regulations mandate that amongst others:
- Limits on the collection of personal data that is aligned to a specific purpose;
- You may need consent, permission of the data subject, and this must be evidenced;
- Personal data must be kept up-to-date, and the data subject has rights to challenge data quality
- The use of personal data within the organisation must be legal;
- The data subject has the right to make requests to the controller about the information they are collecting, and why, also the right to be erased, and be forgotten;
- The controller must be open and transparent in their communications with the data subject and the supervisory authority (SA);
- Controllers must be able to demonstrate compliance with GDPR regulations.
Where is the compliance checklist so I can get started?
The bad news is that GDPR compliance is not a tick-box exercise.
When you realise that: personal data is any data linked directly or indirectly to an individual, and processing is anything done with personal data, including backup and storage. Moreover, every employee today is likely processing personal data, without realising it. Your tick-box needs to transform into a change management project.
The good news is that some easily accessible tools can help your organisation on its GDPR journey.
- Document business processes – GDPR work can be simplified (and money saved) if the business processes required to collect and store data is documented. In documenting the process, the business process owner will, by default take ownership of the personal data collected and processed. Subsequently personal data flows are created, which are used to document personal data from the moment of collection until end of life, e.g. safe destruction.
- Implement industry best practices – Are you following industry standards for your information security (e.g. ISO27001) and IT Service Management (ITIL/ITSM)? The former is a pre-requisite for the security of processing (Article 32) and the latter for incident management reporting, needed for personal data breach notification requirement;
- Create an inventory of your personal data processing activities. This is possible using an off-the-shelf product. If you have a small and noncomplex business model, you could get away with using a spreadsheet or a small database.
- Roll out privacy awareness training across the organisation, just 10-15 minutes is a good start. The minimum they need to be aware of is 1) what is personal data, 2) what is processing, and 3) why should I care? Why is this important? If the employees know the meaning of personal data and its processing, then the company reduces the risk of penalties.
The take-away from this article is it is a change management effort, and you can get started now. The advice above, many of which are not GDPR specific, should have be done anyhow to achieve operational efficiencies across your business operations. GDPR compliance provides an excellent business case to get the necessary funding.