Implementing the new data protection regulation successfully must be a priority for the whole firm, not just the IT department, advises Alex Loquens
On 25 May 2018, the new General Data Protection Regulation (GDPR) comes into effect. For firms that already have good governance around the data they hold on behalf of their clients, adopting the GDPR shouldn’t be a massive step change, as both the Data Protection Act 1998 and ISO 27001 provide excellent frameworks (if properly integrated with your business process and practices).
Is GDPR an IT issue?
If you’re responsible for IT services within your firm, then absolutely not! The GDPR must be raised at board level, and, if applicable, to your compliance team. The GDPR is about managing your ‘data’, bearing in mind ‘data’ will be captured in many forms by all departments, both electronically and physically.
Certainly, the IT team will play a crucial role in ensuring your firm meets the requirements of the regulation – for example, undertaking a full data-mapping process in order to understand where the data is, who has access to it, if it is shared, how it is managed and maintained, and by whom. Once the data is mapped, it is then about working with your software vendors to build in the GDPR requirements around the ‘right to be forgotten’ and the ‘right to transfer data’ (in a ‘common data format’).
This will cover data backups, long-term retention of data, how a ‘laser destroy’ across all backup media could be performed if requested by your clients – importantly a sound demonstration of good IT security posture – as well as penetration testing, IT threat detection, management and response, IT incident reporting, and a robust IT and security policy.
Checklist for the GDPR:
Statements of the information you collect and process, and the purpose for processing (article 13 of the GDPR).
Records of consent from data subjects or relevant holders of parental responsibility (articles 7 and 8).
Records of processing activities under your responsibility (article 30).
Documented processes for protecting personal data – an information security policy, network security policy, etc.
Critical documents – there are a number of these you will need in order to comply with the GDPR, including:
Mapping the flow of data across your organisation;
A procedure for conducting a privacy audit;
Clear and accurate privacy notices;
Data breach notification process and procedures;
Subject access request templates and procedures;
An international data transfer procedure;
Consent form templates;
Data protection impact assessment templates and procedures; and
Information security policies and procedures to keep your information secure.
What about fines?
I’ve heard the phrase “the DPA with teeth” to describe the GDPR, with a large emphasis on the fines.
By way of a recap, the possible fines for a ‘minor’ data breach – for example, if records are not adequately managed from a data protection standpoint, or are incorrect – could be up to €10m or 2 per cent of annual global turnover.
In the event of a ‘major’ data breach, which would constitute the loss of personal data, or the unauthorised transfer of data to a third party, the potential fine rises to €20m or 4 per cent of global annual turnover.
There is a 72-hour deadline within which to submit information of any incidents to the Information Commissioner’s Office, but do bear in mind those are not working hours.
Having assisted with the implementation of both ISO 9001 and ISO 27001 in previous roles, I understand how daunting implementing new standards can be.
By taking a considered, pragmatic, sensible, and engaged approach, I’ve found such implementations to be both rewarding and far from a stressful process. The key is to ensure the business works with you to achieve any accreditation or regulation goal.
Particularly beneficial is engaging with the business early, and providing a factual and non-technical overview which can be easily understood and digested by all to set out what needs to be done, when, and by who.
As a battle-hardened IT professional, I strongly urge all firms to raise GDPR as a business risk rather than an IT project, which therefore is not ‘owned’ by the in-house IT team and function, but is instead logged against the risk register and managed accordingly by the business.
Alex Loquens is IT director and data protection officer at Lodders, and sits on the firm’s GDPR committee