GDPR III—act now, act swiftly
18 May 2017 | 0
Let us remind ourselves again: the General Data Protection Regulation (GDPR) across the EU will be law from 25 May 2018. Just over 12 months to go. That is when GDPR compliance and its administration will have to be operational in every organisation that holds any kind of personal data, from HR and payroll information for a handful of employees to financial institutions or social media multinationals with thousands or indeed millions of clients and users.
We are at the practical stage of implementing and operating GDPR compliance. Whether that is already under way in your organisation or now impelled by panic—because fines can be 4% of global turnover or €20 million—it is high time for action. As the experts we interviewed for our previous features in TechPro have pointed out, an awful lot of organisations have not even begun to examine their stored data and data collection methods. They cannot begin to design their compliance without that initial audit or examination or whatever we call it.
There is also and always the possibility that there will be hidden depths—ancient back-up copies, replication in the cloud, forgotten projects and data in spreadsheets and email and working documents over and above the formal databases and record keeping systems. The longer established and larger the organisation is the more likely are such forgotten or hidden stashes of personal information. Any of them could cause a finding of non-compliance and a fine.
As for smaller organisations, the main question is whether they are holding personal data in any volume. Every employer will hold personal data, together with voluntary bodies with minimal staff but teams of volunteers many of whom, for instance, will have had Gárda vetting. The real impact will be on SMEs which deal with personal clients, from insurance brokers, accountants to medical practices and recruitment agencies. They may have few permanent staff, no relevant expertise, yet have records over years covering thousands of people. Such small organisations will undoubtedly have to seek Data Protection Officer (DPO) services from external consultants. We may see, for example, auditors and accountants add data protection expertise to their portfolios.
The question of a DPO loomed large for all of our interviewees and the consensus advice was that if your organisation is obliged under GDPR to appoint one then get on with it. Apart from everything else, the small pool of appropriately skilled and experienced talent is already diminishing rapidly. There are a number of training courses leading to certification as an EU DPO, notably the programme run by the Irish Computer Society under the leadership of Jim Gregg and the auspices of the Association of Data Protection Officers (ADPO). The criteria for a mandatory appointment of a DPO are clearly set out in the GDPR. Essentially, it covers public bodies and organisations where the core activities, in whole or in part, involve personal data.
“DPO will not be a titular role. The person appointed has to be given authority and the necessary resources, support and independence in the job and the advice he or she gives,” explains Jim Gregg. “It is not window dressing. The DPO is responsible for everything to do with data processing activities in the organisation and the accountability under GDPR for all of that.”
In a very real sense, he adds, the DPO will be out of the normal chain of command. “Nobody else can tell the DPO how to do the job. Whatever the rank or pay grade or whatever, the DPO has to be somebody who can walk into the CEO’s office and say ‘We have to stop that’ or ‘I will have to report that’. There is no suggestion that the DPO has to be at C-suite level, but that degree of independence has to be there because we are talking about the total organisation’s accountability under the strict GDPR legal environment.”
Equally, Gregg points out, there cannot be a conflict of interest internally, so the IT manager or the sales director cannot really double as the DPO. “In smaller organisations like SMEs, which are accustomed to people carrying several responsibilities, there may not any way the DPO job can be added without a conflict of interest. A full-time job may also be out of the question financially. We expect many smaller outfits with DPO obligations to fulfil them on a contracted service basis, like their auditors. We expect such solutions to spring up in the next year because for a lot of SMEs, notably in services, a DPO role will be legally required but not within their resources. The likelihood is that a standard form of such services and contracts will evolve quite rapidly in the lead up to GDPR next May.”
Daragh O’Brien emphasises that for most organisations the advent of GDPR should be approached pragmatically with the initial tasks in any organisation involving review of any business processes that include acquiring or processing personal data. “That might involve customers, will always include employees and might in some instances involve business partners or just contacts. How do we get such data, where from and how and where are we storing it? Simply mapping that on paper will be a key first step.
“Of course, it can be done electronically as well but I think understanding the set of processes in concept is important, for senior management and whoever is leading the project start towards compliance. A number of our larger clients have taken a systems level approach in identifying their risks. But that can lead to not seeing the bigger picture such as the handovers between systems or not recognising the value of data that is contributing to their bottom line—or not. If they were told that they can’t do things that way anymore or cannot use certain data, what would the impact be?”
Systems level approach
A systems level approach, he said, can also lead to missing the fact that a great deal of the use of personal data is being done in unstructured ways. “We have often come across shadow processes that were being carried out in spreadsheets, personal analytics tools or even in email that were not appearing on the ‘official’ lists of databases and applications. Those informal ways of doing things—almost always to do a better job—can be the clues to where any bodies are likely to be buried! So, I would say stop thinking about the possible problems in IT or legal and look at the business and its processes and how it uses the data about people to further that business.”