Moving GDPR preparation into operations
While people may think that they have done everything needed to prepare for GDPR, they may have missed things and may not have thought about how they get assurance over GDPR.
They may not be ready any more as needing to be prepared for GDPR is different to having GDPR as part of operations.
GDPR has now been in force for over a year so would it be correct to assume that all organisations have taken the necessary steps to ensure compliance? Based on our work and feedback from others it appears that this is not the case, far from it, but the big question is whether the magnitude of the recent fines imposed on British Airways (£186m) and Marriott (£99m) will make stakeholders think again.
What does the Information Commissioners Office (ICO) expect of an organisation? That’s quite simple, the ICO expects that all organisations, no matter their size, are taking the protection of personal data seriously, that they are looking after the interests of the data subject. The ICO would expect all organisations to have compliance with the legislation at the core of operational activities. This means that in respect of personal data they are:
- doing the right things
- doing them in the right way
- doing them well.
Both British Airways and Marriott failed to convince the Information Commissioner that they were doing the right things, etc., and had done all they could to protect the personal data of their customers, but why are the fines so big? Is it because the ICO is making an example sending out a message to those organisations who approached GDPR as a burden, another compliance headache, those that did the bare minimum or worse ignored it completely?
Possibly, but equally, it could be because both companies failed at a fundamental level – they failed to safeguard their digital estate. But it could have been much higher: BA’s fine was 1.5% of global turnover, it could have been up to 4%! It is also worthy of note that Marriott incurred the £99 million fine because they acquired another hotel chain in 2016 - and it was this hotel group, Starwoods, that had lost customers' data through a cyber breach.
While many organisations have invested a great deal of time and energy in being compliant with the regulation, many have failed to recognise the business value. Instead of viewing GDPR as another regulation you need to comply with, you should be considering the potential business benefits. Why wouldn’t you want to ensure that your data is:
- obtained fairly and lawfully
- recorded accurately and reliably
- one version of the truth
- held securely and confidentially
- used effectively and ethically
- shared appropriately and legally
- delivering business value?
Comply with GDPR
GDPR is also about value and trust in data, a central element of information governance. Information governance encompasses among other things information security or, at a digital level, cybersecurity.
Many organisations were taken in with checklists and companies offering one-stop technological solutions without taking the necessary steps to understand how personal data flows through the organisation, as opposed to designing and implementing a framework that will fit with the culture and ways of working of your organisation.
Then there are those organisations that complained: 'it's not fair' and placed it on the 'too difficult' pile. On many occasions, senior stakeholders have told me that they could not see how GDPR affected them as they did not collect, store or process personal data – in all cases, they had failed to grasp that employment data was personal data.
Absorbing GDPR into business, as usual, requires a holistic approach to information governance. People processes and technology – the guidance issued by Working Party 29 who were responsible for developing the Regulation and the ICO in their 12 steps spelled it out: raise awareness, train, develop processes and procedures, tighten up on IT security.
How can doing the above build business value? It can be a differentiator, especially if you buy into the view that we are moving from the information age to where reputation is paramount.
In the marketplace competition is fierce and the choice is not restricted by geography. We no longer just rely on the shops on the high street or local businesses to fulfil our needs. Could it be that in the not-too-distant we will be looking at a ‘data trust index’ when making our decisions over which internet business we want to interact with? So, will a business whose reputation is damaged because they cannot be trusted with our data be overlooked the next time we go shopping?
In GDPR terms even those organisations that embraced the challenge are only at the beginning of their journey.
Organisations collect data, for a whole host of purposes and from a range of sources. The simple question is why we spend time and resources collecting, processing and storing this data? This simple answer should always be because it is necessary to assist in achieving business objectives. If this is the case then the data collected must have value - and something that has value, we safeguard. If something has no value, why do would we acquire it?
For the last year or two, the focus has been on GDPR but in reality, many progressive organisations have been using GDPR as a way to improve their overall approach to information governance.
Looking forward it is how we incorporate GDPR into information governance that will lead to a certain level of maturity in how we deal with GDPR. There is also a real prospect that protecting personal data may fall as part of annual audit requirements.
But it’s not just about our organisation, it’s also about organisations that we share our data with. If we do not manage our third-party data-processing relationships appropriately, our reputation could be impacted by their negligence. Even if there is a breach in a third party's data security, we are still accountable, therefore it is our responsibility to make sure that the third parties we work with are looking after the data we share.
GDPR does not reflect a whole new philosophy about personal data; rather, it builds upon the basic application of good information governance practices, albeit with a greater emphasis on transparency than an auditor might be accustomed to.
Providing audit assurance on GDPR is not a one-off process; the regulation requires auditors to consider personal data throughout the enterprise:
- GDPR centres on the quality and accuracy of the data collected - a core tenet of information governance is the reliability of the information.
- GDPR focuses on the security of data in information governance - we also consider security data and look at the processes we’ve got in place for data loss management. We don’t want to lose data but if we do, we need systems in place to inform us that a breach happened
- in GDPR we need to ensure that personal data is accessible - under information governance, we also need to be able to access data. This is the way we leverage value out of information.
What can you do to reduce your risk of a fine?
If the following statements are true of your organisation then you will have reduced your risk of a fine:
- we have completed a data audit, developed a Record of Processing Activities and have conducted a risk assessment of the data collected, processed, stored and shared
- we know who all our third-party suppliers are, and any of their suppliers who handle our personal data, and we have satisfied ourselves that they have the appropriate processes in place and they are working effectively
- we have privacy notices drawn up and readily available - we do not have to get the data subject to sign them, we just need to ensure that we make them aware where the notice can be found
- we have cookie statements on our websites
- we have developed processes and template letters that underpin the way we deal with addressing an individual's rights when they make a subject access request
- we have raised awareness across the organisation and trained our staff on how to deal with personal data and assessed their understanding
- we have reviewed our contracts with our suppliers and customers and where appropriate put Data Processing Agreements in place
- we have reviewed our information security arrangements to ensure that all sensitive and personal data we store and process is appropriately protected both at rest and in transit
- we also have to consider something we have not before - that is providing data subjects with their personal data in electronic form which facilitates portability
- where we make changes to the systems we use to collect, store and process data, we have developed a process to undertake a data privacy impact assessment to ensure that we fully understand how our actions and activities may impact on the rights and freedoms of the data subject
- we have reviewed all our business processes that touch on personal data to ensure GDPR compliance is embedding into ‘business as usual’ and becoming an integral part of daily operations
- we can demonstrate that our GDPR related processes are operating effectively and consistently.
Don’t panic, help is at hand
There are several sources of information to help including:
NCSC’s 10 Steps to Cyber Security
Don’t let your organisation be the next to hit the headlines saying that you have received a large fine from the ICO. The fine is only the start of your worries - reputational and brand damage could cost much more!
Steven Connors, Partner, Haines Watts