With the deadline for the new EU General Data Protection Regulation (GDPR) approaching fast – May 25th 2018, many organisations are struggling with how to implement the required changes and ensure compliance. Failure to comply can ultimately lead to hefty fines – up to 4 per cent of a firm’s turnover, or €20 million, whichever is greater, as well as potential damage to reputation and the possible loss of future business.
Organisations with EU citizens as clients and employees should carry out a data-protection risk assessment to review the policies and processes that govern the firm’s data security, and devise a process to ensure future compliance and adequate breach notification.
The Challenges
- Correctly identifying personal data (anything that identifies an EU citizen) and ensuring the processors are compliant
- Demonstrating that the organisation’s mechanism for obtaining clear and unambiguous consent from the data subjects has been appropriately upgraded
- Redesigning existing IT systems to incorporate the new GDPR requirements, including privacy by design, which may or may not fit easily within the existing IT landscape
- Identifying the gaps between the current Data Protection Act (DPA) and the new GDPR legislation and filling these by making the necessary policy changes to systems, processes and staff training across the whole institution
- Ensuring adequate resources throughout the firm to facilitate compliance
- Avoiding financial penalties
The Brickendon Solution
- Update systems and processes to make a clear distinction between personal data and non-personal data
- Implement mechanisms to identify personal data that is no longer fit for purpose and discard it as appropriate
- Embed the new data subjects’ rights into the firm’s data management framework and policies
- Set up an efficient incident management framework to ensure breaches can be reported in a systematic and timely manner
- Establish a system to ensure data subjects are notified of their new privacy rights and that explicit consent is obtained for all data collected
- Redraft contracts with third-parties to fully reflect the new liabilities and responsibilities
- Ensure all staff handling personal data are fully trained and capable of carrying out their normal duties whilst complying with GDPR
Client Benefits
- Simplification of a complex, non-specific regulatory requirement
- A guarantee that the firm is doing enough to ensure minimum compliance standards are met, but does not over spend on remediation activities
- Clear ownership of remediation activities
- Minimal risk of security incidents
- Increased confidence between controllers and processors due to shared liability
- Integration of breach notification within an incident management framework
- Confidence in the reporting of compliance with non-specific regulation
