In the wake of the recent national ransomware attack and significant fines being imposed on Facebook and WhatsApp, it seems that data protection is hitting the front pages more frequently than ever before (see Legal update, Commission fines Facebook for providing misleading information about acquisition of WhatsApp). This is a trend that is only likely to increase as cyber attacks grow in ferocity, strength and impact, and with the advent of rigorous compliance requirements and substantial fines under the EU General Data Protection Regulation (GDPR) which becomes effective a year today.
The challenge for us as legal advisers is to ensure that data protection in general, and the GDPR in particular, hits the headlines within the confines of our own organisations, so that we are as ready as we can be for 25 May 2018.
The GDPR in many ways represents an evolution of data protection law. What was once best practice will morph into mandatory legal requirements. Concepts borne of good (information) governance such as transparency and accountability become compulsory. Given that many organisations have yet to get to grips with the current regime, the prospect of even trying to achieve compliance with the new regime can resemble a daunting and Herculean task.
I set out below suggestions as to steps that can be taken now to make best use of the next twelve months. There is undoubtedly a lot of work to be done, but in my view following the process described below will provide a road map and direction to what will be challenging times ahead.
- Engage. Securing buy-in at senior level will be critical to introducing the changes that will be required to ensure compliance with the GDPR. Nominal responsibility at director / trustee level will not be sufficient. What will be needed is meaningful engagement and accountability: standing items on board / senior management team / executive management team meeting agenda over the next year and periodically after May 2018; inclusion of data protection on corporate risk registers and the like; and delegation, as appropriate, to audit or similar oversight committees. GDPR non-compliance is an area of significant regulatory, legal, operational and reputational risk and must be recognised as such (see Practice note, EU General Data Protection Regulation: enforcement sanctions and remedies).
- Organise. Establish a working group of colleagues from across the organisation who operate at a sufficiently senior level to introduce change within their respective departments/sectors. Get monthly meetings in the calendars for the remainder of the year. Draft terms of reference for the group based on the steps set out below. Establish reporting lines from the working group to the senior officer with responsibility for data protection identified as per the above. Assess whether your organisation requires a data protection officer (see Practice note, Overview of EU General Data Protection Regulation: appointment of a data protection officer).
- Audit. We need to know what personal data we hold, where, why and for how long. Consider whether any entities outside of the EU are subject to the GDPR (see Practice note, Overview of EU General Data Protection Regulation: territorial scope). Are data processor agreements compliant (see In-house blog, GDPR: first lines of attack on the new data processor compliance obligations)? The audit can be undertaken by survey and championed by the members of the working group (see Practice note, Overview of EU General Data Protection Regulation: obligations on data controllers and data processors).
- Cleanse. Using the results of the audit, challenge the data held with a view to minimising it. Vigorously apply record retention policies. Securely destroy all personal data where retention cannot be justified. Review the media on which personal data is held with a view to improving data security.
- Review. Review all relevant policies, procedures, privacy notices and means by which consents to processing are captured (see Practice note, Overview of EU General Data Protection Regulation: consent requirements and Legal update, ICO consults on GDPR consent guidance). Are they GDPR-compliant? Would we be content to publish them? Are we getting the consents we need to meet our organisational objectives? Would published FAQs assist? How will we manage mandatory breach reporting within the new timescale (see Practice note, Overview of EU General Data Protection Regime: data security breach)? Are procedures in place to meet strengthened individuals’ rights (see Practice note, Overview of EU General Data Protection Regulation: rights of data subject)?
- Determine. If operating in more than one EU member state, determine which supervisory authority will be the lead supervisory authority under the “one-stop shop” procedure (see Practice note, EU General Data Protection Regulation: enforcement, sanctions and remedies: competence and the “one-stop-shop”).
- Educate. For data protection to penetrate our corporate thinking, every member of staff must have an awareness of it. If we are to comply with the obligation to report every breach of the GDPR, colleagues must have an understanding of what personal data is, what those obligations are and how to make a report.
The steps set out above will need to be adjusted to suit the nuances of the particular organisational and political context, and will to some extent require a cultural shift to a place where data protection is embedded in the daily DNA of everything we do.
But it is arguably the failure of the previous legislation to achieve that goal that gave rise to the need for the GDPR in the first place. By adopting a systematic and organised approach, and backed up by buy-in at senior level, we can turn mission impossible into mission accomplished.
For further information, see EU General Data Protection Regulation toolkit and Legal update, ICO warns businesses to prepare with one year to go until the GDPR.