In our final blog, GDPR – One Year On, Alice Turley examines the impact of the GDPR maintaining compliance with the Regulation, and the effect of Brexit on the Regulation.
Key messages from the DPC
The Association of Compliance Officers in Ireland held a conference on 31 March 2019 focusing on data breach notifications and risk assessments. Among those speaking was Niall Cavanagh, Assistant Commissioner at the DPC (Data Protection Commission), who gave a number of top tips organisations can follow to comply with the GDPR.
✔️ Report breaches on time
Cavanagh advised that organisations are generally slow to report data breaches, with many under–reporting their breach numbers.
Other firms are batching the notifications, which is no longer permitted, or waiting the maximum 72 hours to contact the DPC. Cavanagh emphasised that if there is any risk to the rights and freedoms of individuals, the breach must be reported.
✔️ Contact data subjects without undue delay
The data subject must be informed without undue delay of any breach that could pose a high risk to their rights and freedoms.
✔️ Have a breach playbook
Cavanagh suggested that the controller should have a “breach playbook” that would clearly describe what steps should be taken, who should be contacted, what communications should be issued, etc.
✔️ Train employees
All staff should be trained on the breach playbook, so that in times of minimum business cover, such as holiday seasons, they know what to do if there is a data breach. It’s also important that staff know how to identify breaches; while most employees would know what a phishing email looks like, how many would recognise or know what to do about a ransomware attack?
Cavanagh also advised organisations to plan and test their response steps, including dry runs to ensure staff know how and who to report issues to and what actions to take to deal with the incident.
✔️ Retain records
Lastly, Cavanagh underlined the importance of retaining records – logs, records of processing, breach records, etc. – so that the DPC knows how you handled an incident.
Make sure records are backed up so that breaches can be thoroughly investigated. These all go toward meeting your accountability obligations under Article 5 (2) of the GDPR, which require you to demonstrate your compliance with the six data protection principles.
GDPR fines and compensation
We’ve looked at what has happened since 25 May 2018 and while there have not been any GDPR–related fines from the DPC yet, we can expect to see them start later in the summer.
One aspect of the GDPR that has not yet been properly addressed is how much compensation should be awarded to victims. Before the Regulation came into force, compensation for individuals who had suffered a data breach was not usually very high. As such, data protection claims were generally a bolt–on to other claims in the courts for breaches of confidence, defamation or misuse of private information.
However, it is anticipated that the amount of compensation paid out to victims of data breaches under the GDPR will gradually increase, just as they have in misuse of private information claims.
With the threat of increased claims and higher compensation payouts on the horizon, maintaining compliance with the GDPR is more important than ever.
Maintaining GDPR compliance
Organisations should monitor their data protection compliance at least annually.
In Ireland, organisations must comply not only with the GDPR but also the Data Protection Act 2018, which came into force on 25 May 2018, the same day as the Regulation. This is on top of any codes of practice relevant to your industry.
There is also the ePrivacy Regulation (ePR), which is due to come into force shortly. Similar to the GDPR, it will have a two-year implementation timeframe.
The reality of the GDPR
While many organisations have taken steps to create the documentation required by the GDPR, the reality is that many offer little operational guidance on who needs to do what when a breach occurs. It is vital that controllers with online breach notification forms and know what to do when an incident occurs.
The DPC form requests a lot of information about the controller and its business in addition to information about the breach. Ensure that your organisation isn’t looking at the form for the first time while the 72-hour clock is ticking down. Time is of the essence, and you need to be prepared.
Train your staff
According to the EU Commission, regulators have received more than 144,000 complaints since 25 May 2018. The overwhelming reason for these complaints was the failure of controllers to appropriately respond to DSARs (data subject access requests)
Organisations have one month to respond to a request, and the clock starts ticking as soon as the request is received. All employees should be able to recognise when somebody is requesting their personal data, whether over the phone, via email, by post or even in person, and what steps need to be taken, who needs to be informed, what records should be redacted, etc.
Organisational measures, on the other hand, are the arrangements put in place with the use of processes, procedures and policies, such as password policies, mobile device policies, staff training and awareness programmes, etc.
It’s important that your risk methodology can assess whether your data breach is low–, medium– or high–risk. While all data breaches must be reported to the DPC, only risks to the rights of individuals will need to be notified to the data subjects themselves.
Organisations should take a risk-based approach, assessing their processing of personal data activities and any processing activities that are likely to result in a high risk to the rights of individuals, and implement controls to mitigate the risk. This includes putting appropriate technical and organisational measures in place. Technical measures include using firewalls, segregating networks, using encryption, anonymising where possible, running vulnerability scans and conducting penetration tests.
How will Brexit affect the GDPR?
As many are aware, the Brexit deadline has been moved to 31 October 2019, and there is the very real possibility of the UK leaving the EU without a withdrawal agreement or deal in place.
Should this happen, the UK will become a third country. A third country is any country or territory outside the EEC, and while data transfers to a third county can happen, this is only if the third country is deemed to have an adequate level of data protection. This is a detailed process that must be completed with the European Commission and can take months to years. The UK can only apply to become an adequate country when it has exited the EU. Any organisations from third countries without an adequacy decision must adopt appropriate safeguards to transfer data from an EEC country to a third country. There are several appropriate safeguards, including:
- Binding corporate rules;
- Certification mechanisms; and
- SCCs (standard contractual clauses).
The DPC recommends that any Irish organisation intending to transfer personal data to the UK post–Brexit puts in place specific safeguards to protect the data being transferred, and recommends the use of SCCs.
These are pre–drafted contracts are available on the EEC’s website. Once the clauses are not amended within the contracts, the agreements will stand and are binding.
Keep up to date with the latest GDPR news
Organisations should make sure they stay up to date with GDPR news and developments. The DPC website and the UK’s ICO (Information Commissioner’s Office) website are good places to start.
You can also sign up to our weekly newsletter. These free emails will keep you up to date with breaches, fines and data privacy legislation.
This is an excerpt from Alice Turley’s webinar ‘GDPR – One Year On’. To view the full webinar, click here.
Alice is a qualified data protection, compliance and insurance professional, consultant and trainer. She is highly experienced in data protection, consumer protection and compliance, providing expert and solution-based advice to organisations within the insurance, advertising and education industries.
- An overview of the GDPR with Alice Turley, data protection expert
- From pandemonium to fines – a review of GDPR enforcement in Europe
- GDPR in Ireland – the facts and figures