By Alexandre Mollard, Head of Compliance at Lombard International Assurance
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy in 20 years. After four years of preparation and debate, the regulation was finally approved and adopted by the EU Parliament in April 2016 and is set to be enforced in under a year, on 25 May 2018.
With the GDPR, the European Commission intends to increase individual’s fundamental rights to data protection, in particular with respect to the processing of personal data, and strengthen obligations against companies, while unifying the regulation in the EEA.
Within this, one of the Commission’s primary objectives is to give citizens back the control of their personal data – something that is particularly important in an age where digital processes handle ever greater quantities of sensitive personal data.
This means that the GDPR is at the centre of relationships between individuals to whom personal data belongs and the companies that take responsibility for it. This is a complex relationship and one that is sure to evolve as the regulation becomes better understood, but one thing is already clear: in order to really give individuals the control that has been promised, regulation is not the only area that needs to evolve.
Businesses must also incorporate data protection into their strategy, structure and company culture and Data Protection Officers (DPO) need to act as an interface between the company, the individual and the regulator.
Adapting to the GDPR
The GDPR will impact businesses of all descriptions and in every industry. Some sectors, like finance, have already responded to increased scrutiny on clients’ data security and are therefore perhaps better prepared to meet the demands of the regulation. However, this does not apply to all companies and some still do not have proper governance around personal data.
Indeed, the secure processing of personal data has often been lower on the business agenda and greater attention and resource has been spent on processing special categories of data such as CCTV surveillance, telephone recording or email monitoring. Moreover, in many instances data protection has fallen somewhere in between the activities of compliance and legal teams, leading to a reluctance to accept responsibility and, consequently, accountability for any issues.
This is unsustainable and this new piece of regulation presents a unique opportunity to clearly delineate responsibility and ownership for these key functions. This is where the Data Protection Officer’s role will come into its own.
This person should be responsible for the creation and management of a personal data register, which should ideally be built around the new GDPR requirement. Therefore, it should outline the objective of the data processing, its legitimacy, appropriateness, accuracy of personal data collected,security, transfers in/out (not automatically linked to an outsourcing arrangement) and archiving principles. All of this must be done in a way that will allow for an assessment not only of the compliance of personal data processing, but also what actions should be taken off the back of it.
In order to make this process as efficient as possible, Data Protection Officers should be supported by “data owners”, such as departmental heads, who can help equip and maintain each personal data register. This is a key point, as data protection cannot be managed by one person alone, siloed to a separate part of a business. An effective response to the GDPR should come from Senior Management downwards to ensure that all key stakeholders are on-board and that the whole process is properly documented and implemented.
This is of course a somewhat intimidating project and will undoubtedly be a challenge for many. Ensuring that data protection infiltrates the very heart of a business requires a strategic and measured approach, ensuring that one does not over-engineer the process. It’s helpful to remember that, in practice, all areas of work can be defined as one of the following three work-streams:
- IT Systems
All activity that falls under ‘IT Systems’should cover both the changes that need to be implemented in current systemsin order to comply with the GDPRand the key features that are expected from any new IT systems.
It is likely that large-scale upgrades will be required but, where no changes are suggested, it is still important to document and explain why things cannot be changed (for example, technical or legitimate reasons or costs) and what mitigating controls are already in place.
The second work-stream on ‘Governance’should cover the changes to corporate documentation and the respective data protection policies and procedures. Essential to this is a detailed review of who is responsible for each element of a data protection scheme.
The third stream on ‘Legal’ should cover the review and updates to legal documentation and contractual agreements. It should also include a review of individuals’ rights, including how employees consent should be obtained with respect to the subordinated relationship with the employer to demonstrate it was given freely. All data transfers, including outsourcing arrangements also fall under this stream.
Those three work-streams should take into consideration any potential gap from the 1995 directive. The “back-book” which keeps a registry of such things as contractual documentation with clients, employees or external providers should be assessed to ensure that contracts are in line with the GDPR principles including rights of individuals, relationship with providers and outsourcing to a third-country, amongst others.
Taking all these factors into account should make the process of complying with the GDPR rules manageable and maintainable. This is an issue that won’t be solved over-night, so instilling the foundations of data protection into the heart of businesses and employees will be productive in helping meet the demands effectively and productively.