GDPR: 3 Things You Must Know and 8 Steps to Take NOW
22nd May 2018 | Ardi Kolah
It's been five years since the European Commission proposed a radical overhaul of Europe's out-of-date data protection laws, and the EU General Data Protection Regulation (GDPR) comes into force this week.
GDPR creates the legal framework for the operation of the Digital Single Market, as well as helping to create a level playing field by sweeping away 28 different data protection and privacy laws across individual EU member states and replacing them with this one EU regulation.
Many of its critics complain that data subjects have been given too much power over organisations that are simply trying to make a living by using data to drive their business and serve their customers. However, what’s clear, is that GDPR poses a significant threat to business continuity if data controllers and data processors get this stuff wrong; administrative fines can be up to an eye-watering 4% of global turnover, or €20m.
This is a quantum leap in financial sanctions available today. It's also a very clear sign that supervisory authorities have got much sharper teeth with which to enforce compliance, so it will pay to keep on the right side of the Information Commissioner's Office (ICO), and the Financial Conduct Authority (FCA).
At 260 pages in length, with 99 Articles and over 100 pages of explanatory notes known as ‘Annexes’, the GDPR is roughly three times the length of the Data Protection Act 1998 it is replacing.
Even post-Brexit, all UK financial services organisations doing business in the EU, will need to comply with GDPR.
The 3 Biggest Features of GDPR
- Removing the requirement of the 'data controller' (i.e. your company) to notify or seek approval of personal data processing from the Data Protection Authority (DPA).
Although this cuts 'red tape', GDPR actually places a higher duty on organisations to put in place effective procedures and mechanisms focusing more on high-risk operations (e.g. involving new technologies) and carry out Data Protection Impact Assessment (DPIA) across the whole organisation rather than on a project basis.
- Data processors (such as cloud service providers) now have direct obligations, which include implementing technical and organisational measures, as well as notifying the data controller without undue delay when there's a personal data breach, which now must be reported to the supervisory authority within 72 hours.
- In certain circumstances, both data controllers and data processors must designate a Data Protection Officer (DPO). This is a new breed of senior manager who is independent and - although the DPO reports to the highest level of management authority - are a mini-regulator within the company.
Any financial services organisation that's regularly and systematically monitoring and processing personal data of its customers/clients, will need to appoint a DPO or hire a freelance DPO to do the job.
8 Things You Should Do NOW to Prepare for GDPR
1. Carry out a DPIA 'Lite'
Quickly undertake an audit of all personal data processing activities, either carried out now or planned to be carried out in the future. Is this personal data processing being conducted with the consent of the data subject or under 'legitimate interest' that hasn't been overridden by the interests of the data subject?
- The burden of proof is now on the data controller to show evidence of consent, which needs to be unambiguous and, in the case of processing 'special personal data', such as sensitive financial data, must be explicit.
- Notices, in ordinary language, for the time period in which consent has been given, as well as the purpose for which the personal data can be used, must be properly recorded.
- Use the transition period intelligently by carrying out re-consenting of existing customers and clients, to show that you take their data protection seriously.
2. Check all supplier contracts with data processors to ensure they are GDPR compliant
Data controllers can’t pass the buck when things go wrong and blame the data processor, which they may have tried to do in the past. Both now share joint and several liabilities for personal data breaches.
The data controller entering into long-term commercial arrangements (24 months or more) must check these comply with the GDPR and ensure that the data processor acts in accordance with the GDPR, otherwise will be liable for a big administrative fine.
This extends to visiting the premises of the data processor and ensuring that appropriate security measures against physical harm or damage from flooding, for example, are in place.
3. Check all data protection policies, processes and procedures
GDPR requires that information provided to the data subject is in clear and understandable language and that your policies are transparent and easily accessible.
Assuming that you complied with the provisions of the Data Protection Act 1998 doesn’t mean that you will comply with the GDPR. Ensure that you have clear policies in place to prove that you meet the new standards.
4. Hire a top-flight Data Protection Officer
Join the queue of financial services organisations that want to get their hands on a top-flight Data Protection Officer (DPO). Be aware though that there’s a significant shortage of DPOs in Europe who can do the job and they may command a large pay packet.
As a cost-effective option, consider executive education and training of a senior manager who could become your organisation’s DPO. The caveat here is that they can’t have any conflict of interest and can’t take instructions from the senior management team in the exercise of their duties and responsibilities.
Alternatively, hire the services of a freelance DPO, but make sure they have the right credentials to do the job. Under the GDPR, the DPO must maintain their knowledge and experience for the organisation to be compliant. Otherwise, it’s another administrative fine!
5. Practise the way you'll deal with a personal data breach
There’s a saying that ‘practice makes perfect’ and a key task of the DPO is to put in place clear policies and well-practised procedures to ensure that the organisation can react quickly to any personal data breach and notify the supervisory authority, regulator and data subject in time, where required.
It also helps to ensure that the organisation adopts a risk-based approach to personal data protection and avoids confrontation internally between the DPO and the senior management team.
Data protection awareness training and specialist technical training on a regular basis is mandated as a key responsibility of the DPO under GDPR.
6. Become a champion for transforming the culture in your company
This is perhaps one of the hardest things to do and it’s implicit in reading the GDPR that organisations must be seen to behave ethically and appropriately, as well as doing the right thing because it’s the right thing to do.
This is about leadership, and the Senior Management Team (SMT) must be seen to be taking the lead here, supported by the DPO. The SMT needs to foster a culture of monitoring, reviewing and assessing data processing procedures – with the aim of minimising personal data processing and retention of data, and to build in safeguards.
7. Ensure privacy by design and by default
This is a principle of GDPR and must be embedded into any new personal data processing or financial services product. This needs to be thought about early in the process to enable a structured assessment and systematic validation.
Implementing privacy by design can both demonstrate compliance and create a sustainable competitive advantage. Failure to adhere to this principle will result in products and services offered in the digital market being unlawful.
8. Handle cross-border personal data transfers with extreme care
This is a problematic legal area. With any international personal data transfers, including intra-group transfers, it will be important to check that the data controller has a lawful basis for transferring personal data to jurisdictions that are on an ‘approved’ countries list, and are deemed to have adequate personal data protection.
Getting this wrong could attract a fine of up to 4% of annual worldwide turnover, so the consequences could be severe, not just financially but also from a reputation perspective.
In conclusion, the data controller needs to evaluate the specific risks to the data subject laid out in the GDPR and, as a result, the risk to the organisation for processing this personal data.