The General Data Protection Regulation (GDPR) is serious stuff, as any risk manager worth their salt will know. But with something this big, there is no point only a minority being aware of the drill.
So, does more need to be done to get the message out companywide? While many risk specialists are likely to be well briefed and to have attended seminars and other training events on this key new piece of legislation, others could be less aware of the onerous new responsibilities it brings.
What is more, it will be in force in less than a year – by May 2018. Despite Brexit, compliance with the GDPR will be essential for any firm dealing with personal data from the EU, regardless of where that business trades from.
Key changes include a new requirement to notify breaches to the ICO no later than 72 hours after becoming aware of one and also the introduction of potentially devastating fines.
These are up from the current ICO’s limit of €500,000 to €20 million or 4% of annual global turnover and there is a provision for class action and individual prosecution depending on the breach.
GDPR – 8 Key Facts
1) GDPR applies to all companies worldwide that process EU citizens’ personal data - it’s the first global protection law.
2) Under the GDPR, any data that can be used to identify an individual is considered personal data.
3) Simple and clear language must be used when companies ask for consent to collect data - silence from the customer does not mean consent.
4) A data protection officer (DPO) must be appointed in the following cases: public authorities, (except for courts acting in their judicial capacity); those carrying out large scale systematic monitoring of individuals (for example, online behaviour tracking); those that carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
5) A single data protection officer may be appointed to act for a group of companies or for a group of public authorities, taking into account their structure and size.
6) Any organisation is able to appoint a DPO, regardless of whether the GDPR obliges a DPO to be appointed.
7) A firm must ensure their organisation has sufficient staff and skills to discharge GDPR obligations.
8) In the past, only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all organisations that handle personal data.
While the ins and outs may be well known to risk managers, and many are likely to have run tests to check for compliance and perhaps formed a breach management strategy, now is the time to ensure all employees who handle and store data are similarly informed.
The GDPT is not an obscure piece of legislation that will arrive and then be forgotten about and it cannot be batted into the IT department as their remit.
Risk managers may well want to explain that data security is an organisation-wide responsibility. And there could also be a message that does not just focus on the punishment aspects.
Being responsible with personal data is a positive attribute and bringing in tighter procedures, if necessary, may well be positive.
Many would agree that the GDPR’s ‘right to be forgotten’ requirement is fully justified and all customers have the right to know that their details will be deleted if requested and to know how a company processes data.
It may mean that employees will need to get used to having fuller audit trails if necessary, i.e., to show they have obtained customer consent to use their data, but this is a sound protocol and how any customer would want to be treated.
When things go wrong, for example, thinking back to the TalkTalk breach, severe reputational damage ensures that can be hard to shake off.
So rather than just seeing GDPR in terms of the pressures, there is also a positive message around having strong data privacy controls equals better customer service and using this will result in a competitive edge.
There is a short amount of time and a lot of detail around the GDPR and those disseminating may well be working in the risk management arena. What is more, they will also need to ensure they reach any outsourcing businesses that handle data for an organisation too.
Strong security systems are a pre-requisite and more businesses are also taking out cyber liability insurance to bolster their defences – but, this is far from being a substitute for sound in-house controls. Ultimately, good housekeeping and managing the risk from the human element is critical.
The GDPR will soon be upon us and while it may mean little to many now, it is a wide-reaching new law that must be taken seriously across all levels of a business.
Insurers face “large fines” for failing to comply with new EU data law (Insurance Business May 26th 2017)
Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now (Information Commisioner's Office)