63% of data breaches involve a third party relationship.

63% of data breaches involve a third party relationship, so if you do not have suitable 3rd Party contracts if they breach your data it will have a major impact on you.

The new General Data Protection Regulation (GDPR) – which comes into force on the 25th May 2018 – may at first review seem like “just another EU rule”. However, organizations – and specifically third party risk management teams within them – would take a “tick-box” approach to compliance at their peril.

In fact, the GDPR is such a significant new rule that any organization that does business with EU nationals and holds some form of personal data on them, should dedicate the the time and resources to take a more strategic approach to risk management and compliance within 2017, rather than waiting until next year, or complying more tactically. Compliance with this rule requires a strategic approach because:

  • It is an EU regulation, but with significant extraterritorial implications. For example, it effects data about EU citizens processed elsewhere around the world.
  • Organizations have significant new risk responsibilities regarding the third parties they engage, who work with impacted personal data.
  • The new rule has much more robust protections woven into it for privacy, data protection, and consent.
  • The rule requires data protection to now be built into new products, rather than tacked on as an afterthought.
  • New fines and sanctions built into the rule are much more severe than under the previous rule – and would apply in the global way in which the rule is written.
  • Organizations need to evidence that they have done what is required.

Some of the key features of GDPR

 Awareness

As an organisation you must ensure you are aware of the changes ahead and what they will mean for you.

  • Obtain Board and Senior Management Team support. This is no longer an area that can be the responsibility of one individual. Board level engagement is essential.
  • Consider the resource and procedural implications of putting in place robust and effective data governance for your organisation.
  • Privacy and data security are now part of corporate risk management. Add GDPR to your organisation’s risk register.
  • Task key people with keeping up to date with developments and make sure they are at an appropriate level of seniority and adequately resourced.
  • Run awareness sessions to ensure all staff are aware and up to date with the changes GDPR will bring to the organisation.

 Consent

The GDPR considers consent an important part of ensuring individuals have control and an understanding of how their data are to be processed.

  • Consent must be:
    • Freely given
    • Specific
    • Informed
    • Unambiguous
  • There has to be a positive indication of agreement.
  • Consent as a basis for processing gives individuals stronger rights.
  • Data controllers must be able to evidence consent was given.
  • Parental consent to process children’s† data on the internet.

 Wider Scope

The GDPR will impact new and far reaching areas both geographically and procedurally. More organisations will be captured by the requirements and more data processing will be encompassed by the definitions.

  • Data Processors come under the remit of the GDPR and will have specific compliance obligations.
  • Organisations outside the EU, targeting EU citizens by offering goods or services or monitoring their behaviour will need to comply with GDPR.
  • If you have an EU presence or process data on EU citizens, you may need to nominate a representative in a Member State.

 Individual’s Rights

Individual’s rights are enhanced and extended in a number of important areas. They include:

  • A right of access to data (Subject Access);
  • A right for the correction of data where inaccuracies have been identified;
  • A right to require the erasure of personal data (often referred to as the ‘right to be forgotten’);
  • A right to prevent direct marketing;
  • Control over automated decision making & profiling;
  • A right to data portability between controllers.

 Subject Access Requests

As the GDPR captures more information within the definition of personal data, you must prepare ahead for access requests. Your records management systems and processes, both electronic and paper based, must be consciously designed to support the efficient discovery of information noting that:

  • In most circumstances no fee can be charged;
  • A response must be provided within 1 month;
  • More information is required to be provided including data retention periods & rights to have data corrected;
  • Policies & procedures will need to be in place to govern refusing requests.

 Privacy Notices

Empowering individuals by being transparent and clear about how their data are going to be processed, and by whom, is a key element of compliance with the GDPR. At every point at which personal data are collected, whether that is from your clients, staff or others, review how you intend to provide the following at the time of collection:

  • Purpose of and legal basis for processing;
  • Recipients of the data;
  • Any third countries data are transferred to and safeguards in place;
  • Data retention periods;
  • The existence of individual’s rights;
  • Right to withdraw consent where provided;
  • Data Protection Officer’s contact details;
  • Whether data provision has statutory or contractual basis;
  • Details where the legitimate interest condition has been relied upon.

 Privacy By Design, DPIAs

The GDPR places much more emphasis on building in effective data protection practices and safeguards from the very beginning of all processing.

  • Data protection must be considered early on in projects involving data
  • Data Protection Impact Assessments (DPIA) are best practice and likely to be mandatory in some circumstances such as
    • Decisions that produce legal effects
    • Processing of special category data e.g. health data
    • Monitoring of publicly accessible areas

Ensure such processes become routine and well documented. As business models and processes change and evolve, so too do compliance needs. Regular reviews are therefore essential and should be proactively managed and recorded.

? What, Where, Why, How

A detailed understanding of your own data processing underpins the accountability aspect of the GDPR. Any effective data governance strategy has to begin with a comprehensive data audit so ensure you have detailed and documented answers to the following key questions:

  • Whatpersonal data do you hold? Do you hold any special category data?
  • Whereis it from and where is it sent?
  • Whyis it processed? For what purpose?
  • Howis the processing lawful and fair? Which of the conditions is met? Have you provided individuals with details about the processing of their data, including reference to the rights they have?

 Data Protection Officers (DPOs)

Getting ready for the GDPR requires multidisciplinary skills and approach. Identifying and supporting a member of your staff with responsibility for data protection compliance may be a mandatory requirement for your organisation. But even if it is not, having someone in place undertaking that role will be beneficial to your organisation.

The DPO role will require a solid understanding of the way your organisation operates, and a skill set that stretches well beyond an understanding of legal compliance. It must include IT, cyber and data security, strategy, communication, risk management etc and ensure they keep up to date with all of these skillsets and the latest training/certification available.

The GDPR is clear that such a role should be appropriately senior and autonomous. They will be expected to be the front-face of data protection for your organisation which will necessarily include dealing with data subjects and the Data Protection Authority.

  • DPOs likely to be mandatory for:
    • Public authorities.
    • Organisations involved in high risk processing.
    • Organisations processing special categories of data in large volumes.
  • DPO must be suitably experienced and skilled.
  • Has set tasks including:
    • Inform & advise organisation of obligations.
    • Monitor compliance including awareness raising, staff training, audits.
    • Cooperate with Data Protection Authority and act as contact point for data subject and data commissioner.
  • Can be shared with other organisations or have other functions too but none that conflict with day to day operations/IT.
  • Even if not mandated for your organisation, the EU is still encouraging organisations are to appoint a DPO as a sign of their commitment to data protection, data security and GDPR compliance, some customers are also looking for this are part of their risk and compliance projects.
  • In Germany for example it is mandatory for organisations of more than 20 staff to have a DPO and generally this is outsourced by SME’s because of the wide ranging and specialist skillset.

 Penalties And Data Breaches

The GDPR provides for a tougher enforcement approach by the Data Protection Authority including the ability to impose significant fines.

  • Data breaches must be reported to Data Protection Authority within 72 hours of discovery
  • Individuals impacted should be told where there exists a high risk to their rights and freedoms e.g. identity theft, personal safety
  • Fines can be issued up to €20 million or 4% of global annual turnover
  • Data Protection Authority can issue reprimands, warnings and bans as well as fines.

The level of fine is likely to be dependent on a number of factors including:

  • Nature, gravity and duration including categories of data;
  • Intentional or negligent;
  • Action taken to mitigate damage;
  • Security and Privacy by Design measures;
  • Degree of co-operation;
  • How Data Protection Authority found out;
  • Previous enforcement activity;
  • Other aggravating or mitigating factors.

It is essential for data protection to be integrated into corporate risk management for your organisation. Consider how you will manage breach reporting both internally and in respect of your obligations to the Data Protection Authority. If you use a data processor, be clear about your expectations in respect of breach management and ensure these expectations are incorporated into the relevant contracts.

GDPR 12 Steps

GDPR 12 Steps

Note:- Compliance with existing data protection laws is assumed in these steps.

Becoming Aware

It is imperative that key personnel in your organisation are aware that the law is changing to the GDPR and start to factor this into their future planning. They should start to identify areas that could cause compliance problems under the GDPR. Initially, data controllers should review and enhance their organisation’s risk management processes, as implementing the GDPR could have significant implications for resources; especially for more complex organisations. Any delay in preparations may leave your organisation susceptible to compliance issues following the GDPR’s introduction.

Becoming Accountable

Make an inventory of all personal data you hold and examine it under the following headings:

  • Why are you holding it?
  • How did you obtain it?
  • Why was it originally gathered?
  • How long will you retain it?
  • How secure is it, both in terms of encryption and accessibility?
  • Do you ever share it with third parties and on what basis might you do so?

This is the first step towards compliance with the GDPR’s accountability principle, which requires organisations to demonstrate (and, in most cases, document) the ways in which they comply with data protection principles when transacting business. The inventory will also enable organisations to amend incorrect data or track third-party disclosures in the future, which is something that they may be required to do.

3Communicating with Staff and Service Users

Review all current data privacy notices alerting individuals to the collection of their data. Identify any gaps that exist between the level of data collection and processing your organisation engages in, and how aware you have made your customers, staff and services users of this fact. If gaps exist, set about redressing them using the criteria laid out in ‘2: Becoming Accountable’ as your guide.

Before gathering any personal data, current legislation requires that you notify your customers of your identity, your reasons for gathering the data, the use(s) it will be put to, who it will be disclosed to, and if it’s going to be transferred outside the EU.

Under the GDPR, additional information must be communicated to individuals in advance of processing, such as the legal basis for processing the data, retention periods, the right of complaint where customers are unhappy with your implementation of any of these criteria, whether their data will be subject to automated decision making and their individual rights under the GDPR. The GDPR also requires that the information be provided in concise, easy to understand and clear language.

Personal Privacy Rights

You should review your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

Rights for individuals under the GDPR include:

  • subject access
  • to have inaccuracies corrected
  • to have information erased
  • to object to direct marketing
  • to restrict the processing of their information, including automated decision-making
  • data portability

On the whole, the rights individuals will enjoy under the GDPR are the same as those under the Acts, but with some significant enhancements. Organisations who already apply these principles will find the transition to the GDPR less difficult.

Review your current procedures. How would your organisation react if it received a request from a data subject wishing to exercise their rights under the GDPR?

  • How long to locate (and correct or delete) the data from all locations where it is stored?
  • Who will make the decisions about deletion?
  • Can your systems respond to the data portability provision of the GDPR, if applicable where you have to provide the data electronically and in a commonly used format?

How will Access Requests change?

You should review and update your procedures and plan how you will handle requests within the new timescales. (There should be no undue delay in processing an Access Request and, at the latest, they must be concluded within one month).

The rules for dealing with subject access requests will change under the GDPR. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also shorten, dropping significantly from the current 40 day period. Organisations will have some grounds for refusing to grant an access request. Where a request is deemed manifestly unfounded or excessive, it can be refused. However, organisations will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.

You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected. If your organisation handles a large number of access requests, the impact of the changes could be considerable. The logistical implications of having to deal with requests in a shorter timeframe and provide additional information will need to be factored into future planning for organisations. It could ultimately save your organisation a great deal of administrative cost if you can develop systems that allow people to access their information easily online.

What we mean when we talk about a ‘Legal Basis’

You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it. This is particularly important where consent is relied upon as the sole legal basis for processing data. Under the GDPR, individuals will have a stronger right to have their data deleted where customer consent is the only justification for processing. You will have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request.

For government departments and agencies, there has been a significant reduction in the number of legal bases they may rely on when processing data. It will no longer be possible to cite legitimate interests. Instead, there will be a general necessity to have specific legislative provisions underpinning one or more of the methods organisations use to process data. All organisations need to carefully consider how much personal data they gather, and why. If any categories can be discontinued, do so. For the data that remains, consider whether it needs to be kept in its raw format, and how quickly you can begin the process of anonymisation and pseudonymisation.

Using customer consent as a grounds to process data

If you do use customer consent when you record personal data, you should review how you seek, obtain and record that consent, and whether you need to make any changes. Consent must be ‘freely given, specific, informed and unambiguous’. Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity.

If consent is the legal basis relied upon to process personal data, you must make sure it will meet the standards required by the GDPR. If it does not, then you should amend your consent mechanisms or find an alternative legal basis. Note that consent has to be verifiable, that individuals must be informed in advance of their right to withdraw consent and that individuals generally have stronger rights where you rely on consent to process their data. The GDPR is clear that controllers must be able to demonstrate that consent was given. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.

Processing Children’s Data

If the work of your organisation involves the processing of data from underage subjects, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians.

The GDPR introduces special protections for children’s data, particularly in the context of social media and commercial internet services. The state will define the age up to which an organisation must obtain consent from a guardian before processing a child’s data. It should be noted that consent needs to be verifiable, and therefore communicated to your underage customers in language they can understand.

Data Protection Impact Assessments (DPIA) and Data Protection by design and default

A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organisations to identify potential privacy issues before they arise, and come up with a way to mitigate them. A DPIA can involve discussions with relevant parties/stakeholders. Ultimately such an assessment may prove invaluable in determining the viability of future projects and initiatives. The GDPR introduces mandatory DPIAs for those organisations involved in high-risk processing; for example where a new technology is being deployed, where a profiling operation is likely to significantly affect individuals, or where there is large scale monitoring of a publicly accessible area.

Where the DPIA indicates that the risks identified in relation to the processing of personal data cannot be fully mitigated, data controllers will be required to consult the DPC before engaging in the process. Organisations should now start to assess whether future projects will require a DPIA and, if the project calls for a DPIA, consider:

  • Who will do it?
  • Who else needs to be involved?
  • Will the process be run centrally or locally?

It has always been good practice to adopt privacy by design as a default approach; privacy by design and the minimisation of data have always been implicit requirements of the data protection principles. However, the GDPR enshrines both the principle of ‘privacy by design’ and the principle of ‘privacy by default’ in law. This means that service settings must be automatically privacy friendly, and requires that the development of services and products takes account of privacy considerations from the outset.

10 Reporting data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

Some organisations are already required to notify the DPC when they incur a personal data breach. However, the GDPR will bring in mandatory breach notifications, which will be new to many organisations. All breaches must be reported to the DPC, typically within 72 hours, unless the data was anonymised or encrypted. In practice this will mean that most data breaches must be reported to the DPC. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned. Now is the time to assess the types of data you hold and document which ones which fall within the notification requirement in the event of a breach. Larger organisations will need to develop policies and procedures for managing data breaches, both at central or local level.

It is worth noting that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

11 Data Protection Officers

The GDPR will require some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is currently known as sensitive personal data on a large scale.

The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively.

Therefore you should consider now whether you will be required to designate a DPO and, if so, to assess whether your current approach to data protection compliance will meet the GDPR’s requirements.

12 Cross-border processing and the one stop shop

The GDPR includes the one stop shop (OSS) mechanism, which will be in place for data controllers and data processors that are engaged in cross-border processing of personal data.

The OSS will allow your organisation to deal with a single lead supervisory authority (LSA) for most of your processing activities. Your LSA will be the supervisory authority of the country in which you have your main establishment.
For the OSS to apply to your organisation, you must be engaged in cross-border processing and be established in the European Union.

The way you will identify your main establishment depends on whether you are a data controller or a data processor, but in general it will be helpful for you to map out where your organisation makes its decisions about data processing.