Analysis
Effective information governance and ensuring GDPR compliance
- Ethics, Compliance and Governance
- Global
Effective information governance and ensuring GDPR compliance
The General Data Protection Regulation (GDPR) is a regulation intended to strengthen and unify data protection for all EU individuals. The GDPR will go into effect on May 25, 2018 and companies need to take steps now in order to be compliant by that date. Companies subject to the GDPR need to understand what the new regulations mean for them and what steps should be taken to safeguard personal data and ensure compliance while maintaining business operations and profitability.
What does the GDPR mean for me?
The increased territorial scope of entities subject to the GDPR may be one of the most consequential changes from previous regulations. The GDPR applies to any company that collects or processes data about individuals in the context of selling goods or services, including monitoring the behaviour of EU residents. This means that even companies based outside of the EU may be subject to complying with these regulations if they control or process personal data related to an EU resident.
The GDPR defines personal data broadly to include any information relating to a person that can be used to identify that individual. For example, a name and address can be used to identify a person directly. A reference to a person like, CEO of Corporation ZXY from 2001 – 2011 can be used to identify a person indirectly.
Understanding the articles applicable to both data owners and data subjects will increase the successful integration of GDPR frameworks. There are several articles which highlight the rights of consumer data subjects which include the right to know how their data is being used and have their data removed from systems. Consumers will be able to make these requests at no charge and companies will have one month to respond. These rights of consumers will place burden on organisations that are not prepared. A prepared organisation will have already demonstrated compliance and transparency with the right blend of technical resources and an appointed data protection officer.
Demonstrating GDPR compliance
Demonstration of GDPR compliance has two main domains: protecting company employees’ data and consumers’ data. Creation of an information audit is a recommended approach to understanding what data exists and where it is located. Once an organisation knows the “what” and “where” of its data, it can take the necessary steps to safeguard that data in compliance with the GDPR. The information audit should include an understanding of the originating sources of data and any third parties they intend to share the data with. Accreditation is also a good demonstration of GDPR compliance. ISO27001, for example, will put you in good posture for GDPR compliance. Simply presenting that these actions are undertaken, partnered with having effective policies and procedures in place, illustrates compliance with the GDPR’s accountability principle.
Companies should consider performing a Privacy Impact Assessment which includes building a data asset map to track and prioritise data repositories. The Privacy Impact Assessment analyses records to identify personal information such as names, personal identification numbers and pre-programmed syntaxes which could identify a person. The results from the Privacy Impact Assessment will give the company a focus point to establish a framework and mitigate existing risks. In addition, companies should review existing data privacy policies to understand how vendors and third parties are handling their clients’ personal data and implement policy requirements for these third parties that are also compliant with GDPR regulations.
Depending on the size and complexity of an organisation, it may want to elect or recruit a Data Protection Officer (DPO). An added layer of complexity would be if your organisation operates in multiple EU jurisdictions. It would be advisable that the Data Protection Officer becomes acquainted with the guidance from the Article 29 Working Party, to enable them to implement effective plans and processes within the organisation. The DPO’s sole responsibility would be data protection compliance and to ensure that processes, like those described above, are being followed and standards are being maintained. The DPO should be considered part of the operations support team and will often report to the highest level of management or the board. Their responsibility is to ensure companies are adhering to the regulations while carrying out assessments and working with the authorities to report any instances of breaches or information disclosure.
Fines under the GDPR can run as high as €20 million or 4% of group worldwide turnover against both data controllers and data processors. But the potential implications of non-compliance of the GDPR rules will not just be costly for organisations in monetary terms. The inevitable reputational damage can be more challenging to recover from.