With less than 12 months to go until organisations need to comply with the General Data Protection Regulation (GDPR), it’s more important than ever to look at what you need to do to prepare.
With fines of up to 4% of annual global turnover or €20m (whichever is greater) for companies that fail to comply with the Regulation, this legislation cannot be ignored. In Ireland, there seems to be a tendency to think that data privacy or GDPR compliance is mainly an IT problem, but companies that think this way may want to have their lawyers on speed dial.
Of course IT plays a major role in how a company manages data and individual’s privacy, but the GDPR is an issue that companies as a whole need to tackle.
According to the GDPR Awareness Coalition, one of IT Governance’s partners, there are six key departments that need to be aware and involved in the GDPR compliance project.
Below we look at which departments these are and the key questions they need to ask themselves at this point;
Human resources (HR)
Human resources departments all around Ireland will have a mixture of sensitive and personal data on all employees within their organisation. If you work in HR, you need to ask yourself the following:
- What personal and sensitive data are you collecting?
- Are you documenting why you need to capture this data on your employees or, indeed, potential future employees?
- Do you explain consent and how your employees’ data will be processed?
- Are your policies, forms and awareness training up to date with the new categories of personal data?
As the rights of data subjects are updated and the change in response times for subject access requests, legal departments should ensure they can answer the following:
- How will you deal with a subject access request?
- Is your process documented?
- Is any of it automated?
- Can it scale for multiple concurrent requests for this data?
- Do you know the new response timescale?
- Do you have published data retention policies?
As the GDPR is designed to strengthen and unify data protection for individuals and is regarded as a complete overhaul of European data protection laws, marketing departments will face drastic upheaval. If you work in marketing, you need to be able to answer the following:
- When you capture consent (e.g. tick boxes) for use of personal data, do you clearly explain why you need to have it and how it will be processed?
- Is the consent explicit and is the individual giving consent fully informed?
The GDPR also applies to online identifiers (e.g. SEPA) and ID numbers (e.g. employee IDs). As such, the finance department must address the following:
- Have you reviewed your processes to ensure these identifiers are managed securely?
- Have you reviewed the potential GDPR penalties and have you taken account of these in any risk planning?
Although the belief that data privacy is mainly an IT issue is short-sighted, IT’s role can’t be underestimated either. Technology plays a critical role in managing data privacy, as it enables efficient and effective execution of controls. IT departments need to be able to address the following:
- Do you know which systems hold personal data including the new special categories of personal data?
- Can you find that data in the event of a request from a data subject and, more importantly, can you delete it?
- Is it stored securely, whether that’s in your offices or in the Cloud?
- Can you identify a security breach – e.g. a hack – and assess it regarding impact to personal data?
- Do you have a process for notifying the supervisory authority of that breach within 72 hours?
Under the GDPR, organisations are responsible for their entire data supply chain.
- Where a sub-contractor is processing data on your behalf and you are the data controller, have you ensured that the processor has provided sufficient guarantees to implement technical and organisational measures that meet the requirements of the GDPR?
As you can see, the GDPR will affect many aspects of all organisations, and companies that focus solely on technology will soon find themselves in trouble. If you or your colleagues are involved in your organisation’s GDPR project, you should open a dialogue with colleagues in the departments above. The GDPR should be a collaborative project to ensure the people and technological capabilities are working together to build a data privacy-driven business that your customers and staff will be happy to rely on.
Unsure where to begin with your GDPR project?
Why not have our consultants carry out a Gap Analysis to assess your organisations current level of compliance with the Regulation, and help you identify and prioritise the key work areas that your organisation must address ahead of May 2018. Find out more.