Most of us have heard of the General Data Protection Regulation (GDPR) by now, but in some areas of business, the implications haven’t fully registered. In a recent BBC article Chris Daly, chief executive of the Chartered Institute of Marketing, says:
“There is a real lack of awareness about this issue in our sector – 60% thought it wouldn’t affect their business at all.”
For the record, the GDPR is a comprehensive new EU privacy regulation that has widespread privacy and data protection implications for organisations. The GDPR, which will become UK law on 25 May 2018, has at its heart the principle that your data is as much a personal possession as your house, your car or any other item you own and that there needs to be a law in place to enshrine that principle and penalise those who steal or misuse your data.
In short, the regulation aims to put individuals back in control of their personal data and, in doing this, creates a number of obligations for organisations that hold this type of data, with eye-watering financial penalties for non-compliance – the maximum being the greater of €20 million or 4% of global revenue. And we now know from the Queen’s Speech on 21 June 2017 that that new data protection laws will be implemented in the UK irrespective of Brexit.
So, what do we need to do? As ever, preparation and planning are crucial to ensuring that your organisation meets its obligations when dealing with personal data. A good place to start is with the advice from the regulator – the UK regulator is the Information Commissioner’s Office (ICO) who has issued guidance for UK organisations on preparing for GDPR. They have published (and are regularly updating) a 12 step plan with the first two steps shown in the image below.
“Preparing for the GDPR – 12 steps to take now” May 2017
Note the last line – you may need to organise an information audit. I would love to think that the ICO is being slightly ironic using the word “may” here – unless you are a very rare breed of organisation, that should read “will“. Yes, we have come across organisations who have carried out an audit or are in the process of carrying one out, but even then, vital parts of the audit have often been missed.
So what should be in your audit? Well there are two elements that determine the level of risk to which your organisation is exposed:
- The quantity, type and location of the personal data you hold.
- The complexity of the business processes that use this personal data.
To enable your organisation to make informed decisions about compliance with the GDPR both areas need to be covered.
That means your audit needs to produce:
– A personal data “Data Map” – what type of personal data does my organisation hold, how much of it do we have and where is it stored?
– A personal data “Data Flow and Process Map” – how is the identified personal data used by the organisation, who do we share it with and how is it protected during these processes?
Once this is done, a risk assessment can be carried out and, if you want to get serious, this can be turned into a “Heat Map” for presentation to senior management to highlight high-risk areas. Alongside this should be a set of recommendations and remedial actions for dealing with the risks.
Job done? No, job started.
After this, you can deep dive into more complex areas such as the legal basis for holding and processing data and those tricky new individual rights such as the right to erasure, portability and the right to restrict processing – all of which create a further set of obligations on organisations holding personal data.