We are often asked what the key differences are between the new GDPR (General Data Protection Regulation) and the old UK Data Protection Act (1998). Other people may tell you about data subject rights or breach reporting or bigger fines.
For us, the most important change is accountability in a framework that needs to be designed with data protection at the forefront. In the past you could be called to task if you had a data breach and, at this point your systems and processes would come under some scrutiny. The reality now is that your systems, procedures and processes need to be accountable, visible and clear at all times.
This has moved from an implicit requirement to a very clear and explicit principle. Article 5(2) of the GDPR says:
“The controller shall be responsible for, and be able to demonstrate compliance”.
For avoidance of doubt, if you collect personal data for any business reason then you are likely to be a data controller.
In short, you are responsible for compliance and you must be able to demonstrate your compliance. And the ICO is very clear on this in saying that “You need to put in place appropriate technical and organisational measures to meet the requirements of accountability.” The way that you do this is by adopting a data protection by design and default approach.
The GDPR journey as a whole can be troubling for many organisations. Whilst the legislation describes at length how it expects organisations to handle personal data and the rights that data subjects have in relation to that data, it’s noticeably agnostic and ambiguous around how all of this is to be implemented and managed.
There isn’t a silver bullet or panacea for the GDPR and the recent bombardment by ‘experts’ foretelling fines, reputational damage and other nasties has led to GDPR lassitude across the board. Businesses are moving further from compliance due to a lack of knowledge around how to tackle the GDPR pragmatically and practically.
To demonstrate your accountability you will probably need to review how you manage this often overlooked area of your business. It is likely that you can anticipate some of all of the following:
- Potentially appointing a Data Protection Officer (DPO) or at least having an individual who is responsible for data protection;
- Implementing appropriate security measures to protect the data that you hold;
- Reviewing your written policies and procedures and probably adding new ones;
- Identifying the information that you hold, where it comes from, what you do with it and how you protect it;
- Documenting your lawful basis for holding and processing this data;
- Looking at the contracts you have with entities that can process or access your data;
- Updating your internal and external privacy policies;
- Increasing staff awareness around data protection.
This might seem like a lot of work that all needs to be done yesterday but that would be the wrong approach to take. The rush to be GDPR compliant by 25th May is over and we’re into prioritising and sorting out a plan now rather than panicking or ignoring things completely. The latest guidance from the Information Commissioner is “Don’t panic……….. the important thing is to take concrete steps to implement your new responsibilities — to better protect customer data.”
And it’s not all bad news. Don’t forget, there are benefits to having these things in place that go far beyond complying with the GDPR. Not least of all improved data management and accuracy, increased marketing return on investment and the all-important boost to client loyalty and trust.
Wherever you are in your GDPR journey we can help you through fairly priced, effective and pragmatic consultancy. The GDPR is not a checkbox exercise; it’s not just about technology and it’s not just about operational practices.
Our gap analysis audit and report looks individually at each of the 99 articles of the GDPR and provides comment on all that are relevant; it also works through the constituent policies and procedures of a data governance framework to compare with the ones you currently have in place. Finally, a basic outline of an Information Asset Register is included covering your main systems.
We know that not every business has a dedicated, trained expert to keep up with it all. Even those that have a resource in place sometimes need additional support. We also understand that budgets can be tight and that every penny of spend needs to be justified. For that reason we offer the gap analysis to target specifics and give you a firm idea of what needs to be done. You can then take as much or as little help from us as you require.
Perhaps now would be a good time to review where you are, produce an outline project plan and get started on the tasks. Demonstrating a will to work towards compliance is the best option to support your accountability!