GDPR is not only a regulation, it’s a mindset!
This months’ it@cork blog is kindly written by Gillian Bergin, board director it@cork and director at Dell EMC. Gillian has a keen interest in GDPR and is leading it@cork’s strategy to disseminate information about GDPR to member companies. She was particularly concerned by the results of a recent EEN, Cork Chamber and it@cork survey that revealed ‘just one in four Cork companies felt confident of meeting the deadline for GDPR compliance’ and wanted to help.
GDPR is not only a regulation, it’s a mindset!
GDPR is the new data protection regulation coming into effect in May next year which replaces the existing EU data protection framework. We are already two-thirds of the way through the 2-year preparation period so by May next year you will be expected to be compliant. Unlike previous data protection frameworks, GDPR is regulatory and fines for non-compliance are huge. But reputational damage can be far worse. If you are not sure where to start or even whether your business is directly or indirectly affected by the GDPR, I invite you to check out our it@cork GDPR early assessment guide by clicking on the image below.
Like most formal regulatory documents, the EU GDPR is a heavy read with a plethora of legal terms and article references (not for the faint hearted), but let’s try break it down to what it all means in layman’s terms.
GDPR doesn’t apply to all data, but it does have implications for all countries. GDPR relates only to the personally-identifiable information (PII) and sensitive personal information (SPI) of EU citizens. See it@cork GDPR infographic above for more detail. It doesn’t matter where in the world you are collecting, storing and processing this data; if it’s considered PII or SPI of EU citizens, then you must comply with the GDPR (i.e. moving your data outside of the EU will not make the problem go away!).
Collect and Protect
- Treat the data like it is that of a family member or close friend. Protect it! Be fair and transparent with it! Remember it is not your data, but you should treat it as if it were. This means collecting only what is necessary and reasonable, no more; using it only for the purpose it was intended for; seeking consent for both its primary use and every subsequent different use thereafter. Do not share it with 3rd parties without the individual’s explicit consent. Expecting customers to accept long-winded overly-complicated T&C’s will no longer be considered valid consent. Consent with regard to children must be treated differently and is dependent upon the country in which the regulation is being applied (country specific age of consent).
- Gaining someone’s consent must not only be unambiguous and explicit, but easy for them to understand and grant, and just as easy for them to revoke.
- If an individual requests access to the personal information you are storing about them, then you have 1 month to comply (an extension can be sought for requests deemed unusually complex). You have no right to charge an administration fee for this service unless it is a subsequent copy of the same data already provided or an exceptionally complex or detailed request.
- Individuals also have the right to request their personal data be updated (right to amend) or deleted (right to be forgotten). However you may be in a valid position to decline a request for erasure if the data relates to an ongoing investigation or is genuinely required in order to provide a necessary and desired service to them. Customer profiling may not necessarily be considered a genuine business reason for denying a deletion request.
- You should only hold data for as long as is reasonable and fair and where the purpose is still valid. You may only hold the data for longer than a reasonable period if you have a legal basis or exceptional business reason for doing so. CCTV footage is also covered by the GDPR and a process should be in place to delete footage systematically after a reasonable period of time (e.g. 30 days). GDPR covers structured and unstructured data.
- Your data collection and processing practises should be fully documented, fair and transparent.
- Your data must be stored safely and securely and accessible only by those who need it for a valid business reason. This means having a robust process in place for regular reviews of access permissions is important so that access can be revoked where necessary, for example, from employees who have left the company or moved on to a new role.
- If you have a data breach, you must inform the Data Protection Commissioners office within 72 hours of the breach. The clock starts ticking the minute the breach occurs, not when you become aware of the breach so if it takes you 24 hours to notice the breach and another 24 hrs to understand the extent of it, you are now 48 hours into that 72 hr window. If the data breach is likely to cause an individual or individuals harm (such as identity-theft or breach of confidentiality), then the individual(s) must also be notified of the breach.
- Should you have a breach, the ability to reduce your financial penalty and reputational damage will hinge in many cases upon your ability to clearly and unequivocally demonstrate all your processes and procedures, your employee awareness programs, your roadmap to compliance, your data retention/deletion policies, detailed and documented knowledge of your data sets, data flows, data purposes and your data security methodologies. Keeping a detailed log of all your GDPR-related activities is good advice!
Communications and awareness
- All of your staff should be made aware of the GDPR and their responsibilities in this regard. Therefore it’s recommended you roll out some form of basic (ideally mandatory) GDPR awareness program for your employees before the May deadline.
Complying with all of this sounds scary and daunting, but point of fact is that it is just good data etiquette. Along with your employees, data is one of your biggest assets so you need to have a solid business strategy around managing it. Creating a culture of data protection within your organisation will be key and this should be driven from the top down so senior management must be on board and must walk the talk. If your business activities are such that you are legally obliged to appoint a DPO (Data Protection Officer) then that person must have the knowledge, support and authority to effectively do their job. These ‘business activities’ mostly include public authorities and companies who systematically store and process PII or SPI on a large scale. Whether you are required by law to appoint a DPO or not, it’s considered good practice to have a single point of contact for all things data protection at your organisation.
Starting your GDPR journey
If, like many others, you are only just starting on your GDPR journey, you have two states to consider: Current state and Future state. The first step to understanding your current state is to truly understand your data, so a data protection impact assessment (DPIA) is a great place to start, whereas achieving future state compliance is about making data privacy an integral part of every project, every initiative and every new product or service right from the outset. This is known as ‘privacy by design and default’ (as opposed to privacy as an after-thoughtJ). There are also ways to limit your GDPR impact by asking yourself questions like ‘do I really need to store personal information in order to do this task’? ‘Is there another way to get to the same desired outcome without the need to collect/store personal information’? Consider a system that collects but never stores personal information i.e. the data is collected and processed in real-time, business insights revealed and stored, and the personal information gets released. Interesting concept? It’s worthwhile to consider these such data minimisation methods.
Can I also take this opportunity to highlight the merits of employing a good project/program manager to get you started? A good PM will produce a solid delivery roadmap with key deliverables and dates, to ensure the work gets done.
Two last points of note…
- GDPR is purposely principles-based. This means there are no hard and fast rules or tick box exercises to achieving compliance. There is also no one person or organisation that can definitively guarantee you that your business is GDPR compliant. That decision must be yours and yours alone because no one truly knows your business and your data like you do.
- Becoming GDPR compliant is not a once-off exercise. It will take work to maintain it and that requires a shift in the way you do business and in how your employees think about data. Data Protection is no longer the sole responsibility of the IT department. Data Protection is everyone’s responsibility and that is best achieved by instilling a culture of data privacy throughout the organisation and most likely a mindset change.
A strong Data Privacy program and a culture of Data Protection at your organisation will become a necessary function of doing business. The worst thing you can do is stick your head in the sand and hope all of this goes away or that there will be a last minute deadline extension. GDPR is coming and it’s a little bit like owing the Revenue Commissioners in that Ignorance will be no excuse. The onus is on you to get informed and get compliant so don’t put it off any longer. Leverage the information sites, leverage your network, leverage the experts and start your GDPR journey today.
Note: This is a personal opinion piece written for it@cork and should be used for general guidance purposes only. Always engage with a GDPR expert for directional advice on achieving GDPR compliance as it relates to your business activities.