Many companies and organizations need to prepare to conduct business in a new data protection, privacy and security landscape when the transition period for the GDPR ends on 25th May 2018.
Ardi Kolah, LL.M, Executive Fellow and Director of the GDPR Program at Henley Business School, and author of The GDPR Handbook, shares his guidance for senior managers looking to put the finishing touches to their GDPR plans.
1. Make sure all staff have been provided a fresh Data Privacy Notice
All your staff should have been provided with a Data Privacy Notice advising them that the personal data required by the company/organization in pursuance of their employment will be done under the basis of legitimate interest. This should explain clearly:
- What personal data will be processed
- The purposes and duration for doing this
- What rights they have
- Who they should contact if they have issues/concerns
- What happens if they leave the company/organization
- Who else this personal data will be shared with
It should be emphasized that not all personal data is processed under legitimate interest of the company/organization. For example, there may be a discount or company loyalty scheme where staff may need to share their personal data on a consensual (consent) basis to participate.
Remember that under the GDPR, employers won’t be able to rely on consent as a lawful basis for processing employees’ personal data, as it will not be deemed to have been freely given. Continuing to process personal data without lawful grounds is a serious breach of the GDPR. The Data Privacy Notice is the only absolute right in the GDPR and must be separate from any terms or conditions.
2. Ensure anyone in your company/organization who touches personal data of customers, clients, supporters or other employees, is appropriately trained
In any potential personal data breach, the Supervisory Authority will first look at the training records held in a company’s HR Department to determine whether anyone involved in processing personal data at the company has been appropriately and adequately trained. If this isn’t the case, it’s a breach of the GDPR and will also be an aggravating factor in the wake of a personal data breach, which will only push the needle up when the Supervisory Authority and/or Regulator decides the level of sanction/fine to be applied.
3. Only engage third parties to process personal data if they guarantee GDPR compliance
Make sure that as a client (you are the Data Controller under the GDPR) you only engage third parties to process personal data of your customers, clients, supporters or employees if they guarantee compliance with the GDPR - irrespective of where in the world this processing takes place.
This is because the Data Controller is responsible for every point in the value chain of data protection, privacy and security – and the further away the processing of personal data, the greater the degree of risk that things may go wrong. Don’t just take anyone’s word that they do comply; ask them how they demonstrate compliance and how you can verify this. In the wake of unsatisfactory answers - find another data processor. If there is a personal data breach after 25th May 2018, even if it isn’t something you have done, as a Data Controller you will be jointly and severally liable.
Choose your data processing partners with extreme care to avoid the risk of huge fines, sanctions and reputational damage. Also, double-check that if the data processor uses a cloud service provider, that you have signed this off, as this sub-data processor in the value chain also binds you by law.
4. Identify a senior manager in your company who is responsible for data protection, privacy and security
It is advisable to make sure a senior manager in your company/organization is identified internally as being responsible for data protection, privacy and security. For large organizations, this can be the Data Protection Officer (DPO).
Make sure that they don’t have a conflict of interest and are able to act independently, as they must not take any instructions that conflict with their role as a DPO or their duties and responsibilities under the GDPR.
Forget about trying to hire someone externally – there’s a serious shortfall of DPOs in Europe (around 28,000 DPOs are required to meet such a demand according to the IAPP), so it’s more workable for the long term to identify a senior manager who can be trained to fulfil the role of a DPO, and enroll them on a GDPR Program (at Henley Business School, for example) where you can be confident they will undertake the most rigorous training available.
5. Reboot the thinking about data within the senior leadership team
Make sure that all members of the senior leadership team have re-booted their thinking on data protection, privacy and security for the digital age. It’s no longer a tick-box exercise or something consigned to the backroom: it’s most definitely a boardroom issue.
Transparency, accountability and control should now drive the thinking behind a company or organization; accountability starts with the Board and flows right through the whole organization.
Essentially, it’s about identifying ‘high’ or ‘very high’ risk in the processing of personal data and reducing this to a residual risk that doesn’t cause harm or damage to customers, clients, or staff.
In order to put in place the appropriate organizational and technical measures, the company/organization should carry out a Data Protection Impact Assessment (DPIA) ‘Lite’ – which will identify what it is doing that’s compliant with the GDPR, what it is doing that may seem ‘a bit dodgy’ and should stop, and what it should start doing in order to implement appropriate risk mitigation measures.
Remember, the exercise is less about regulation and compliance and much more about reputation. As the GDPR is outcomes-based, it’s vital that senior managers understand how to join the dots on business continuity, risk and technology, to manage their businesses in this new era of data protection, privacy and security.
You can learn more about how companies and organizations can take advantage of the new opportunities for creating deeper digital trust, so they can do more – not less – with personal data, in the new book by Ardi Kolah, The GDPR Handbook.
Author: Ardi Kolah LL.M is Executive Fellow and Director of the GDPR Programme at Henley Business School; founder of training company GO DPO®, Editor-in-Chief of the Journal of Data Protection & Privacy, and author of the new book, The GDPR Handbook. As a privacy consultant, he was instrumental in leading Hitachi Consulting Corp (NYSE: HIT) to become the first to achieve BS10012:2017 - Personal Information Management System (PIMS). He works extensively with corporate clients in Europe, USA and Asia.