25 May 2017
The Final Countdown – Diarising GDPR
When talking of countdowns, you will no doubt be thinking of the immortal rock classic from 1986 by Europe. However, there is another final countdown from Europe which is generating considerable attention and will be a focal point for many, if not all, businesses in the next 12 months, namely the number of days remaining until 25 May 2018. This is the date that the General Data Protection Regulation (GDPR) will be applied.
While GDPR is a piece of EU legislation, Guernsey and Jersey will bring their own (equivalent) laws into force at that time. Even without local legislation, many businesses outside of the EU will nevertheless need to be compliant if they are undertaking one or more of the following:
- offering goods or services to individuals in the EU
- monitoring the behaviour of individuals in the EU
GDPR is very much an evolution of the current legislation, but it will require a change of culture in some organisations. The rights of individuals are being strengthened under GDPR and personal data is accordingly not only a valuable asset, but a prized target for those who wish to do businesses harm.
Treating personal data as if it were your own is a good starting point, as this then embeds a culture which places significant value on data and the need for it to be treated as such.
For many, the process of preparing has already begun. While there are many areas of uncertainty, and further guidance will be published between now and May 2018, there is a lot that businesses can be doing to prepare themselves.
We highlight below three of the core areas for consideration:
Data estate mapping
The first step towards assessing whether you need to do a little (or a lot) to become GDPR compliant is to review your data estate. What personal data do you hold? How does that data come into your business? Why is it processed? For what purpose is it processed? Where is it sent? What access or security controls are in place? What information is given to your customers as to what is happening to their data?
Once that analysis has been undertaken, you can map those results against the requirements of GDPR and assess where your priorities should lie. We also recommend undertaking a risk assessment of those areas and your current processes and procedures to analyse where the most significant risks lie. That risk analysis can overlay the gap analysis, such that the number of tasks to be completed by May 2018 is manageable.
If you rely on consent from customers as a means of lawful processing, then you should consider reviewing those consents with a view to finding an alternative basis for processing. Under GDPR, the data subject has the right to revoke consent at any time, which could cause a significant problem if you are entirely reliant upon such consent.
We suggest reviewing the processing you undertake and find alternative mechanisms that may work, such as processing pursuant to a contract with the data subject, or processing in accordance with your legitimate interests as a business.
Data Protection Officer (DPO)
While compliance is ultimately the responsibility of the board, GDPR makes the appointment of an individual responsible for data protection compliance mandatory in a number of circumstances. Even if you fall outside the scope of the mandatory appointment criteria, it will still be seen as good practice to have someone specific tasked with oversight of this important area.
The DPO will need to be independent (in other words, not the heads of business lines such as IT, HR, Compliance, CFO, CTO etc.) and have a good understanding of the operational aspects of your organisation. They will also need to be suitably experienced in data protection, security, strategy, communications and the like. Finding such people is already a challenge, so start thinking now about who your DPO may be.
The clock is ticking, so if you have not considered GDPR or its implications, now is the time to start.
To quote Europe – “It’s the Final Countdown…” but without the spandex.