It’s a New Year, and as we roll into 2018, the eyes of businesses all over the UK will be focused on GDPR. This is a huge piece of legislation that brings with it a lot of necessary changes regarding data protection and the data rights of the individual, but who is responsible for implementing the data governance policies and systems you need to put in place?
Essentially, GDPR requires every business holding the data of EU citizens to have data governance as a central tenet in everything they do, meaning that an organisation can’t just say they have put data protection policies and systems in place, they also need to be able to prove that they have put them in place, and show that they continue to effectively practice them in their day to day activities.
Documenting what has been put in place means accountability and good record keeping, and it involves starting with an overview of the entire company. Every business will need to implement data mapping to know:
- What data they have
- What they use it for
- How it comes into the organisation
- Who has access to it
- How it is processed
- Why it is processed
- What data protection measures are in place to keep it secure while it is in the organisation
- What controls are in place for the safe removal of data
The answers to each of these must fall in line with the regulations, otherwise your business faces some pretty hefty fines, and due diligence must be shown regarding a proactive attempt to meet compliance standards.
For starters, this should include:
- Performing an audit of all the data your organisation holds, where it is, and what you can get rid of
- Developing an understanding of what GDPR requires, and what the results of not being compliant will be, with training for all personnel
- Documenting a Data Governance and Privacy model with clear roles and responsibilities so that compliance best practices are understood across the organisation
- Considering whether a statutory Data Protection Officer (DPO) is required - not every business requires one but it is strongly advised that you appoint one
It is important that all staff members with an organisation understand the basics about data protection. However, there are some roles that will require a deeper understanding of what needs to be done, and how to do it. An obvious starting point is the IT team, who will need to put in place the IT security measures for servers, systems, the cloud, devices, etc, but there are also three accountable roles that need to be focused on – the data controller, the data processor, and the data protection officer.
The Data Controller
The buck essentially stops with the Data Controller. They are the people responsible for the overall implementation of data governance policies and systems, and must be able to provide a transparent documentation of the following:
- The name and contact details of the controller and the data protection officer (if one is appointed)
- The purposes of the processing
- A description of the categories of data subjects and of the categories of personal data
- The categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organisations
- Transfers of personal data to a third country or an international organisation, including the name of the country or international organisation and, the documentation of the safeguards for the transfer (i.e. based on consent, necessary to perform a contract, public interest)
- Where possible, the time limits for erasure of the different categories of data
- Where possible, a general description of the technical and organisational security measures
The Data Processor
The Data Processor is the person or body who oversees the actual handling of data and its movement through the organisation, based on the policies, rules and systems outlined by the data controller. They need to be able to prove that they have the required level of data protection in place to do so.
All processors are required to:
- Only process personal data on instructions from the controller, and inform the controller if it believes said instruction infringes on the GDPR legislation. In other words, a data processor (whether in-house or outsourced to an external service provider) may not opportunistically use or mine personal data it is entrusted with for purposes not outlined by the data controller.
- Obtain written permission from the controller before engaging a subcontractor and assume full liability for failures of subcontractors to meet the GDPR requirements
- Upon request, delete or return all personal data to the controller at the end of the service contract
- Enable and contribute to compliance audits conducted by the controller or a representative of the controller
- Take reasonable steps to secure data, such as encryption, pseudonymisation and tokenisation, backup and disaster recovery, and regular security testing of firewalls, penetration tests, data loss prevention, etc
- Notify data controllers without undue delay upon learning of any data breaches
- Restrict personal data transfer to a third country only if legal safeguards are obtained
The Data Protection Officer
The appointment of DPO to oversee, monitor, enforce and report on the implementation of the systems and policies that need to be put in place, and to be able to show transparency regarding these, is advised.
Though a more junior role than that of the processor or controller, they are nevertheless the person upon which most of the actions will fall. The man on the ground, so to speak, they are essentially responsible for the ongoing documentation of what has been done to meet compliance, providing that proof of robust data governance required by the legislation. Their role includes:
- Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits
- Advising on data protection impact assessments
- Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data
- Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
The GDPR Experts
While the GDPR legislation states that a Data Protection Officer is not required by every organisation, it is a little vague on who is exempt. An early draft suggested that companies with fewer than 250 employees would not need one, but that seems to be absent from the final draft. Our advice would be to appoint one anyway.
However, many organisations will look to hire somebody at quite a junior level to take on this role, and that person may be left wondering what the hell they are going to do with such a responsibility. The main problem for many organisations trying to understand what this new legislation will involve is that it outlines what they need to do in order to be compliant, but is not so strong when it comes to how to actually do it.
This is why hiring a certified GDPR practitioner who provides IT support is a good idea. They can:
- Assess and advise on what needs to be done following a comprehensive GDPR audit
- Educate staff on their responsibilities with GDPR training on security, accountability and best practices
- Take the Data Protection Officer (and the Data Controller) through the best practices that will help them meet and prove compliance
- Implement the data protection solutions needed
- Implement data governance controls
Ultimately, proving that your organisation is compliant with GDPR requirements for data governance is your responsibility, but hiring a GDPR consultant can be the helping hand you need to get to work and avoid the spectre of business-crippling fines when the May 2018 deadline comes around.
As certified GDPR experts, pebble.it can help you meet GDPR compliance across your organisation. Discover the steps that will put you on the road towards compliance and how we can help you get there by downloading our GDPR-readiness checklist: