GDPR: 100 days to go - will you be ready in time?
With time running out, what are the key compliance lessons organisations can learn from other IT leaders?
There are just 100 days to go before the European Union General Data Protection Regulation (GDPR) finally comes into force, threatening multi-million pound fines against organisations that spill personal data.
For any organisation of significant size, it's probably too late to be starting compliance efforts now, although Computing's excellent three-part feature by Field Fisher Waterhouse LLP director Kuan Hon is a great place to start.
In the early years of the new regime, the Information Commissioner's Office (ICO) has indicated that it will go easy on organisations brought before it for breaches of personal data, provided they can demonstrate that they have made reasonable efforts to comply.
Having documented business processes around the governance of personal data will greatly mitigate any fines the ICO could levy should an organisation suffer a data breach
The ICO itself recommends that organisations should do the following:
- Document what personal data they hold, where it came from and who it is shared with. This may require an audit;
- Review current privacy notices and make necessary changes;
- Review procedures for deleting personal data on request - especially if such requests need to be balanced against regulatory compliance demands for data retention;
- Update procedures around subject access requests, which are set to become much more onerous;
- Identify the lawful basis for processing activities under the GDPR and document it, and update privacy notices accordingly;
- Review consents for personal information and make sure they meet GDPR standards;
- Consider systems to verify individuals' ages and whether parental consent may be necessary;
- Put in place procedures for the rapid detection, reporting and investigation of data breaches;
- Designate data protection officers with responsibility for data protection issues within the organisation;
- Decide on a supervisory body if the organisation operates across EU national boundaries.
While this list may seem forbidding, attendees at recent Computing events have tentatively suggested that their compliance efforts haven't been as onerous as first feared.
Typically, compliance efforts have started with a legal assessment, either from an outside law firm or led by the organisation's own in-house legal counsel. Data audits to find and document exactly what personal data is held, and where - as well as where it is processed - have quickly followed.
In some respects, these steps have provided some reassurance: IT leaders at more recent Computing events have certainly seemed more sanguine about GDPR than at events we held a year or more ago.
Customer personal data has always been tightly held, given the critical competitive edge it provides, but some CIOs have instigated data cleansing initiatives, and also conducted new opt-ins on mailing lists where opt-in procedures may not have been properly documented. Having documented business processes around the governance of personal data will greatly mitigate any fines the ICO could levy should an organisation suffer a data breach.
One surprise, though, has been in the human resources department, not in terms of data security, but the applications and third-parties that the organisation has often outsourced to, according to IT leaders. Where personal data - be it even just an email address - is processed by a third-party, the organisation needs to ensure that whoever they are outsourcing to is also GDPR compliant.
An HR department and the outsourcing partners it uses, though, will often hold highly sensitive data, from bank account details to cursory medical records, in some instances.
GDPR has proven to be a useful tool for putting through a number of other, not-strictly-GDPR projects that might not otherwise have got approval from the Board
In some cases, it may be safer and simpler to simply in-source or to consolidate contracts. Given the sensitive nature of data held by HR, it certainly isn't an area that should be under-estimated when considering GDPR compliance.
Of course, for organisations whose very business is data, particularly personal data, GDPR will almost certainly prove more onerous. But with just 100 days to go, their compliance efforts should already be as good as done - or, at the very least, on the home stretch and running well.
According to some CIOs at Computing's recent IT Leaders' Summit, though, GDPR has proven to be a useful tool for putting through a number of other, not-strictly-GDPR projects that might not otherwise have got approval from the Board.
Hence, time isn't just running out to achieve compliance with the GDPR - time's running out to use it to get a whole lot of other projects pushed through at the same time. That, surely, is an opportunity that is too good to waste.