KPMG is working with a number of larger clients on risk and regulatory compliance, with a current focus on GDPR. “They are all subject to the existing data protection requirements so we are focussing on gap analysis between current and new GDPR rules and highlighting the changes and differences. But that has to be accompanied by a thorough assessments and review of their existing governance and compliance, both to identify any deficiencies but also to identify any need or opportunity for enhancement.”
“That work is the basis for the outline programme that then draws in all parts of the organisation. GDPR impacts all sorts of areas, from IT to line of business, and operations to sales and marketing, even HR. In enterprises with a risk and compliance team, they are very much involved.
Thorough investigation
All of the practical work is based on the inventory of personal data, where it is processed and stored, that was one of the first tasks and remains subject to correction and revision. Unstructured data has to be investigated thoroughly as well as the obvious systems and often it is the biggest challenge. People in business compile lists of clients and contacts and prospects all the time, play with spreadsheets, start marketing projects that are later cancelled and of course email always contains forgotten material. We are seeing clients conduct really extensive electronic searches of their entire IT environment to highlight the location of as much personal information as possible.”
We are seeing clients conduct really extensive electronic searches of their entire IT environment to highlight the location of as much personal information as possible. That is hugely important, because with the new oversight regime, compliance is about accountability rather than simply about preventing breaches. Organisations have to be able to demonstrate compliance, Michael Daughton, KPMG
“That is hugely important,” Daughton said, “because with the new oversight regime, compliance is about accountability rather than simply about preventing breaches. Organisations have to be able to demonstrate compliance—how you are on top of and in control of personal data, where it is stored, who has access, who you are sharing with, what third parties it might be going to and so on. The national data protection authorities across Europe will be monitoring all of that. If you are found to be non-compliant and appeal to the courts, traditionally at least best efforts made is a reasonable defence. But if your organisation has done nothing or very little, you will be punished financially—and everyone now knows how severe that could be.”
Management misconceptions
Looking around the market, another consultant who is finding management misconceptions is Brendan McPhillips. “There is a surprisingly widespread perception that the DPO will be the sole person responsible for GDPR compliance. In fact, it will be multi-departmental in almost all organisations because fundamentally it is about the ways in which the activities are conducted and the processes that are in place. So, marketing and IT, to take just two examples, will have to examine their own processes to contribute input to the supervisory role of the DPO.”
The first thing McPhillips says to clients is to abandon the idea that the DPO—when eventually appointed, in all too many cases—is going to solve all GDPR compliance problems. “The DPO is essentially the leader of a team —permanent or ad hoc or for the next year—that will ensure the organisation’s compliance across all activities. Another thing we are seeing is that through indifference or ignorance of the implications, a lot of top management is seeing GDPR as something on the horizon for 2018 just because that’s when it will be in operation and law. Many believe they will have enough time in 2018. Not so, quite probably in any organisation.”
Another factor, he pointed out, is that many organisations are awaiting the appointment of a DPO to commence actual action. “That recruitment process could be a real problem, because there are all too few people out there with the relevant skills. The longer it takes to find a DPO the less time to meet the compliance deadline.”
One big thing that GDPR compliance will require is thorough documentation of policies and decisions and actions, added McPhillips, “and that is something that is simply not in the culture of many organisations. The DPO can oversee much of that, but others may not grasp the idea for a time. Even when there is a decision not to do something that relates to GDPR, the decision and the reasons have to on the record. GDPR compliance involves proving that you have taken all legal and necessary steps to comply and that includes evidence that appropriate consideration was given and best judgement exercised. Like board and other significant meetings, you have to be quite formal about the record keeping.”
There is a surprisingly widespread perception that the DPO will be the sole person responsible for GDPR compliance. In fact, it will be multi-departmental in almost all organisations because fundamentally it is about the ways in which the activities are conducted and the processes that are in place. So, marketing and IT, to take just two examples, will have to examine their own processes to contribute input to the supervisory role of the DPO, Brendan McPhillips, Asystec
Simple and obvious
ADPO chairman Tom Hulton is another who is quite practical about the whole thing: “The first thing to do about GDPR compliance is to get started. It’s that simple and obvious. Clearly there are lots of things you have to establish—what personal data you have, where you get it or got it, where you store it and all of that. Then there are questions arising, like on what legal basis do you acquire or retain such data? The important decisions are all about getting the process started by everyone who is a data controller in any respect. Then the questionable issues or practical difficulties will surface and you can make a more comprehensive plan.”
The guideline on whether the organisation needs to appoint a DPO are relatively clear, Hulton said, and clearly getting on with the appointment can be a valuable resource for the compliance preparation. “But I am conscious of the fact that the DPO is just one person, cannot do the whole lot and, in any event, the obligations and review to analyse the gaps that may exist extend across the whole organisation and functions from sales and marketing to IT. In larger organisations, it is key to have ‘data champions’ in different divisions and certainly in key data holding departments. It is also important to have and cultivate a culture of compliance throughout all staff.”
Subscribers 0
Fans 0
Followers 0
Followers