Written by Justin Baxter, Neil Adams and Neil Mockett from Crowe Horwath
With only 12 months left until the new GDPR regulations come into force, many organisations are already busy, preparing for May 2018. But for others, the challenge is still about getting started with a proportional approach that will enable sufficient progress in the time remaining, and provide a defensible position in the event of any breach or incident. Unfortunately, there is no blueprint for easy compliance and no easy, plug-in solution. Each firm will have a different starting point and will therefore need to determine its own approach.
The ICO has described GDPR as a “journey”. This is very true, however, it is one that is best prepared for by taking into account some practical advice.
Give GDPR the level of sponsorship it deserves. Compliance with GDPR regulations, and data protection more generally, should be regarded as a key operational risk. As such, the board should appoint a member of the management committee to oversee progress. The potential for significant fines, exposure to legal action, and the inevitable bad publicity and reputational impact, should an incident occur, necessitates the need for senior management oversight. However, GDPR is also about the rights of the individual, and the expectations individuals have of the firms holding their data and acting as custodian. Therefore, GDPR is also an issue of ‘conduct’ which, as Financial Services firms know all too well, can cause significant problems with the regulator if not taken seriously.
As with any business change, the direction, drive and tone from the top can be one of the main differences between success and failure, so it is worth ensuring you have the right sponsorship in place.
Getting started. There are many reasons why plenty of firms are struggling to get started. However, one of the key issues is that GDPR is a principles based regulation and, in addition to detailed guidance on a number of key areas still being work in progress, the regulation is, quite simply, open to interpretation. As a result, in the absence of a more prescriptive GDPR “instruction manual”, organisations need to determine for themselves what GDPR means. This includes the organisation deciding where to set the “bar”, especially in areas where the regulations refer to rather unhelpful terms such as “appropriate” or “sufficient”.
Really understand what happens to data across the organisation. This is such a simple statement to make, yet it is an absolutely critical starting point. Organisations have to be brutally honest about the personally identifiable data they have, why they need it, where it came from, how it is used, where it is stored and where it goes. For many organisations, performing this step is a daunting prospect. However, firms do not need to take a ‘scorched earth’ approach to understanding their data – even some high level work will most likely reveal where the key areas of concern exist.
Gaining this understanding as early as possible will prove extremely insightful, and should form the basis of many other areas of work over the next twelve months.
Identify the areas of greatest impact. Although GDPR introduces a number of new requirements, for example in relation to gaining consent, or customer requests such as the right to ‘erasure’, much of it is not actually new and it is really just an extension of the core principles of the existing Data Protection Act (DPA). An organisation’s existing maturity against the DPA will therefore have a significant bearing on the breadth and depth of scope that needs to be addressed under GDPR. In the absence of a detailed or recent DPA gap analysis, almost every organisation will have one or more open audit points relating to data protection, which is usually a good place to start.
Invest time upfront in developing formal data protection related polices and standards. Strong governance is important for lots of reasons, and well written policies and standards provide the foundations of good governance. In the case of GDPR, investing time early on to revise existing data protection policies to ensure they address the requirements of GDPR will help create clarity and focus for the organisation, and a point of reference against which compliance can be assessed. The exercise will also inevitably produce some surprises in terms of other related polices that will need to be amended to address GDPR, such as HR, Procurement, Outsourcing, and Information Security.
If in doubt, complete a Privacy Impact Assessment (PIA). The principle of embedding is key to successfully implementing any change, and in support of this aim for data protection, the ICO published guidance in 2014 on the use of PIAs as a business-as-usual (BAU) “tool”. In effect, a PIA is a structured assessment of a given business situation with the explicit purpose of assessing the level of data protection related risk. Though originally conceived as a tool to be used in BAU, completing a PIA against areas of concern or uncertainty as you work towards compliance can be a very powerful, and extremely revealing, approach.
Model your response to Customer Requests. Subject Access Requests (SARs) are not a new concept. But GDPR means they will become free of charge for members of the public. GDPR also introduces new customer rights, around areas such as portability and erasure. Therefore, it is reasonable to expect that volumes of customer requests will increase after May 2018. To address this situation, it is key to establish what would be involved in providing the information outlined in the regulations, including for the new request types. Also key is the testing of scenarios where volumes significantly increase from historical levels, in order to understand their potential operational impact.
Don’t forget Third Parties. The changes in accountability and liability regarding Data Processors are significant under GDPR. While Data Controllers remain liable for infringements caused by their Data Processors, those Processors now also have direct duties under the GDPR. It is therefore critical for both Controllers and Processors to understand what has to happen to keep processing operations compliant. As most organizations have tens, if not hundreds, of third parties that they rely upon, this can be no small task and needs to be sized and tackled with the priority it deserves.
Information Security is key. This won’t be a surprise to most people, however, too often organisations seem to “miss the wood for the trees” when it comes to information security. There is little point spending small fortunes on leading edge IT protection systems if a firm isn’t sure it has the basics in place – as an example, look no further than the recent attack on the NHS and issues caused by the lack of recent Windows patches. Also, information security is not just about the structured data held in core systems, it equally needs to apply to physical data and the unstructured or “dark” data that resides in emails, on network drives and the Excel downloads from core systems that all organisations possess.
Staff training and awareness. Kicking off a gradual programme of awareness and training around the principles of data protection, and explaining to staff how the organisation is addressing the needs of GDPR, is essential. How staff handle data related queries with customers and third parties will be a key factor in mitigating data protection risks, and demonstrating to customers, and the regulator, that the organisation takes data protection seriously. Organisations need to be careful not to neglect the ‘people’ side of things in favour of more tangible areas such as IT.
Complying with GDPR. Complying with new regulations is almost always harder than originally expected – vague requirements from the regulator, a fixed end date and a lack of in-house experience don’t tend to mix well. In reality, given the breadth of impacts from GDPR, most organisations will struggle to address every last detail before May 2018. Though this may be true, what is key is that organisations can demonstrate they understand the size and nature of the gaps they have to address, they have a plan in place and are making good progress, and they can show the regulator, and other key stakeholders, that they are in control and are taking GDPR seriously.
Crowe Horwath is a member of the Crowe Horwath International (CHI) network of accounting, tax, risk and performance management firms. Crowe has years of experience implementing regulatory and compliance changes and helping firms refine their approach to risk management. Justin Baxter is a Partner in the London office and together with Neil Adams, and Neil Mockett, they are leading the development with clients of practical and pragmatic approaches to the challenges presented by GDPR.