GDPR II – a business issue
10 April 2017 | 0
As you read this, the deadline period for the General Data Protection Regulation (GDPR) across the EU has dipped under 13 months. Just to emphasise, it is 25 May 2018. One of our expert interviewees referred anonymously to a large banking institution that is now GDPR ready, which is clearly admirable. But the project took 18 months and was apparently quite costly, even by banking systems standards. The initial assessment programme to decide what should be done to ensure compliance spanned over four months before the implementation plan could even be drawn up, costed and authorised.
There should be a large countdown clock somewhere, visible to all organisations in Ireland, from SMEs to multinationals to voluntary organisations. Not that small or medium sized organisations should take 13 months to get their practices and their systems ready for compliance. On the other hand, in most cases it will demand knowledge and skills that are not available in-house. All of our experts confirmed that relevant skills are in short supply. They also raised the prospect that relevant and competent professional firms and consultants are likely to have full order books as we get nearer the deadline.
GDPR implementation will mean multiple different levels of challenges and actions and costs to different types of organisations. It is centred on personal data and confidentiality rights of all EU residents, citizens or not. There is something of a myth in business circles that GDPR is all about consumer details and social media—and it most certainly covers that. But think of employee records, which are by definition personal, but might contain information about health, disciplinary issues or even a criminal past.
Voluntary organisations working with children hold Gárda vetting records, as do schools, sports organisations, charities and others. These are in many senses vulnerable organisations with amateur security like a lock on the file cabinet. Anything digital is unlikely to be seriously protected.
Small businesses, like symbol group supermarkets or the hospitality industry, often have a disproportionate number of employees, including part-time, temporary and seasonal. Their obligation to keep all employee personal data securely is just as important in GDPR terms as multinationals or online services or media.
Data is not just IT
The GDPR uses the term ‘data,’ which in some ways contributes to the focus on IT that influences most organisations, especially businesses, in their thinking and planning. But as Sheila M FitzPatrick of NetApp points out, GDPR is first and foremost a legal compliance issue concerning people’s personal information and its use and retention in the light of their privacy rights. “It is a business issue, not a technology one. CIOs and other IT roles are critical partners but they do not ‘own’ the responsibility for GDPR compliance. Organisations first need to have a legal data privacy compliance framework in place. Otherwise, all the most powerful technology will not enable companies to comply with data privacy laws—in many different jurisdictions for multinationals—and certainly not with the new GDPR regime.
“You first have to look closely at the foundations of what data you collect, what agreements you have or had in place, what explicit consents you use and what you are doing with all of that personal data. It’s an audit of your practices, current and perhaps historic. You then put a compliance framework in place. Only at that stage do you look at the tools and technology to implement and maintain compliance. IT is the first or second floor and you can’t design or start work on it until you build the foundations.”
Responding to the suggestion that many organisations may have prided themselves on observing best practice in relation to client data privacy for years and perhaps become a bit complacent, FitzPatrick agreed. “Faced with GDPR, all organisations should look at when they last conducted a privacy impact assessment, of any kind. Particularly since cloud became a commonly used resource to throw data into for scalability or flexibility, organisations looked at data security but not at the potential impact on personal data privacy.
“A fundamental question would be whether we have consent from clients or employees to put personal data in the cloud. Another would be whether we have any assurance from our cloud service providers that they are compliant with data privacy laws. Another might be the geographic and therefore legal implications of where the data might be located—or replicated for continuity reasons. All in all, even organisations which are conscientious about data privacy may have flaws in their systems on the IT side, often because the tech people did not understand the needs of privacy as opposed to standard data security precautions.”
With GDPR, Fitzpatrick wholeheartedly accepts that the ‘right to be erased’ is a challenge few organisations will be able to meet by the May 2018 deadline. “As an attorney, I would be very reluctant to sign any document guaranteeing that it has been done. There are banking institutions that are over 100 years old and bluntly they simply do not know where all of the data is located. It could be on paper or on old back-up tapes in some off-site storage facilities. But the way the data protection authorities are looking at that is that the potential difficulty cannot be used as an excuse not to make a serious attempt to do everything technically and humanly possible to track and erase such data on request.”
Know what you hold
Irish data protection consultant Fintan Swanton takes a similar view and says that “The very first thing every organisation should do, small or large, whatever the sector, is carry out an audit or gap analysis. Many are not sure what this should be, but basically it is an inventory or catalogue of any and all kinds of personal data that they are processing or holding on record. If you don’t know all that then you cannot possibly know if you are compliant. Putting better systems in place to implement compliance comes after that and is informed by that knowledge.