GDPR – maintaining compliance and Brexit

In our final blog, GDPR – One Year On, Alice Turley examines the impact of the GDPR maintaining compliance with the Regulation, and the effect of Brexit on the Regulation 

 

Key messages from the DPC

The Association of Compliance Officers in Ireland held a conference on 31 March 2019 focusing on data breach notifications and risk assessmentsAmong those speaking was Niall Cavanagh, Assistant Commissioner at the DPC (Data Protection Commission), who gave a number of top tips organisations can follow to comply with the GDPR 

✔️ Report breaches on time

Cavanagh advised that organisationare generally slow to report data breaches, with many underreporting their breach numbers 

Other firms are batching the notifications, which is no longer permitted, or waiting the maximum 72 hours to contact the DPC. Cavanagh emphasised that if there is any risk to the rights and freedoms of individuals, the breach must be reported.   

✔️ Contact data subjects without undue delay  

The data subject must be informed without undue delay of any breach that could pose a high risk to their rights and freedoms.   

✔️ Have a breach playbook 

Cavanagh suggested that the controller should have a breach playbook that would clearly describe what steps should be taken, who should be contacted, what communications should be issued, etc.   

✔️ Train employees 

All staff should be trained on the breach playbook, so that in times of minimum business cover, such as holiday seasons, they know what to do if there is a data breachItalso important that staff know how to identify breaches; while most employees would know what a phishing email looks like, how many would recognise or know what to do about a ransomware attack?  

Cavanagh also advised organisations to plan and test their response steps, including dry runs to ensure staff know how and who to report issues to and what actions to take to deal with the incident.  

✔️ Retain records 

Lastly, Cavanagh underlined the importance of retaining records – logs, records of processing, breach records, etc.  so that the DPC knows how you handled an incident.  

Make sure records are backed up so that breaches can be thoroughly investigated. These all go toward meeting your accountability obligations under Article 5 (2) of the GDPRwhich require you to demonstrate your compliance with the six data protection principles.   

 

GDPR fines and compensation

Weve looked at what has happened since 25 May 2018 and while there have not been any GDPRrelated fines frothe DPC yet, we can expect to see them start later in the summer.   

One aspect of the GDPR that has not yet been properly addressed is how much compensation should be awarded to victimsBefore the Regulation came into force, compensation for individuals who had suffered a data breach was not usually very high. As such, data protection claims were generally a bolton to other claims in the courts for breaches of confidence, defamation or misuse of private information.   

However, it is anticipated that the amount of compensation paid out to victims of data breaches under the GDPR will gradually increasejust as they have in misuse of private information claims.  

With the threat of increased claims and higher compensation payouts on the horizonmaintaining compliance with the GDPR is more important than ever.  

 

Maintaining GDPR compliance

Organisations should monitor theidata protection compliance at least annually 

In Ireland, organisations must comply not only with the GDPR but also the Data Protection Act 2018, which came into force on 25 May 2018, the same day as the RegulationThis is on top of any codes of practice relevant to your industry. 

There is also the ePrivacy Regulation (ePR)which is due to come into force shortly. Similar to the GDPR, it will have a two-year implementation timeframe.  

 

The reality of the GDPR

While many organisations have taken steps to create the documentation required by the GDPR, the reality is that many offer little operational guidance on who needs to do what when a breach occurs. It is vital that controllers with online breach notification forms and know what to do when an incident occurs. 

The DPC form requests a lot of information about the controller and its business in addition to information about the breach. Ensure that your organisation isnt looking at the form for the first time while the 72-hour clock is ticking down. Time is of the essence, and you need to be prepared. 

 

Train your staff

According to the EU Commissionregulators have received more than 144,000 complaints since 25 May 2018The overwhelming reason for these complaints was the failure of controllers to appropriately respond to DSARs (data subject access requests)  

Organisations have one month to respond to a request, and the clock starts ticking as soon as the request is received. All employees should be able to recognise when somebody is requesting their personal data, whether over the phone, via email, by post or even in person, and what steps need to be taken, who needs to be informed, what records should be redacted, etc.   

 

Organisational measures

Organisational measures, on the other hand, are the arrangements put in place with the use of processes, procedures and policies, such as password policies, mobile device policies, staff training and awareness programmes, etc.  

Its important that your risk methodology can assess whether your data breach is lowmedium or highrisk. While all data breaches must be reported to the DPC, only risks to the rights of individuals will need to be notified to the data subjects themselves. 

 

Appropriate measures

Organisations should take a risk-based approach, assessing their processing of personal data activities and any processing activities that are likely to result in a high risk to the rights of individuals, and implement controls to mitigate the risk. This includes putting appropriate technical and organisational measures in place. Technical measures include using firewalls, segregating networks, using encryption, anonymising where possible, running vulnerability scans and conducting penetration tests.   

 

How will Brexit affect the GDPR?

As many are aware, the Brexit deadline has been moved to 31 October 2019, and there is the very real possibility of the UK leaving the EU without a withdrawal agreement or deal in place.  

Should this happen, the UK will become a third country. A third country is any country or territory outside the EEC, and while data transfers to a third county can happen, this is only if the third country is deemed to have an adequate level of data protection. This is a detailed process that must be completed with the European Commission and can take months to years. The UK can only apply to become an adequate country when it has exited the EU. Any organisations from third countries without an adequacy decision must adopt appropriate safeguards to transfer data from an EEC country to a third country. There are several appropriate safeguards, including: 

  • Binding corporate rules;  
  • Certification mechanisms; and   
  • SCCs (standard contractual clauses).  

The DPC recommends that any Irish organisation intending to transfer personal data to the UK postBrexit puts in place specific safeguards to protect the data being transferredand recommends the use of SCCs.  

These are predrafted contracts are available on the EECs website. Once the clauses are not amended within the contracts, the agreements will stand and are binding.  

 

Keep up to date with the latest GDPR news

Organisations should make sure they stay up to date with GDPR news and developmentsThe DPC website and the UK’s ICO (Information Commissioner’s Office) website are good places to start.  

You can also sign up to our weekly newsletterThese free emails will keep you up to date with breaches, fines and data privacy legislation 

This is an excerpt from Alice Turley’s webinar ‘GDPR – One Year On’. To view the full webinar, click here. 

Alice is a qualified data protection, compliance and insurance professional, consultant and trainer. She is highly experienced in data protection, consumer protection and compliance, providing expert and solution-based advice to organisations within the insurance, advertising and education industries. 

____________________________________________________________________ 

Further reading:

GDPR Starter Bundle email banner - 7 day trial

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.