GDPR < 100 Days to go

At Fifth Step, we have been talking about and helping companies prepare for GDPR for the past 2 years. This week saw a big milestone passed: it is now less than 100 days until GDPR comes into enforcement. So what are some of the issues that firms should be looking at and making sure are in place or going to be in place in time for May 25th?

Personal and Sensitive Personal Data Privacy and Protection

The primary aim of the GDPR is to protect the maintain the privacy of the personal data that you are responsible. By now you should have in place, or be confident that you are going to achieve this requirement.

Privacy Notice

Your organisation’s data privacy notice is the text or document that will inform data subjects about:

- How their data is used
- Why it is needed
- Who will process it
- How long it will be kept for
- Etc.

This information will (in most cases) need to be displayed to the data subject before they provide any personal data.

Personal Data Usage

Understanding how, where and why your organisation is using the personal data that it collects is a vital part of being able to comply the GDPR. By may 25th your business must have this level of understanding and be able to demonstrate the alignment with their privacy notice and their practices.

Consent Statement and Consent Storage

Informed consent by the data subject is a cornerstone to the GDPR, it is the embodied by the first of the data subject’s rights. Many companies understand that they need to gain consent, but some do not appreciate the importance of storing and being able to demonstrate that a data subject gave consent for their data to be used and which purposes they gave consent to.

Vendor Contracts

There is a phrase that I have been using for some time in relation to governance requirements imposed by regulators around the world for the last couple of years:

“You can outsource the function but not the responsibility”

This is the case with the GDPR, if your business uses third parties to process personal data on its behalf you must ensure that the contracts between the organisations are GDPR compliant. This becomes even more important where the third parties are considered to be “Third Countries” (i.e. not part of the EEA and are not recognised as having GDPR equivalence).

Your vendors must be able to demonstrate that they can identify the data that they process on your company's behalf and they must be able to demonstrate that they are aware of and only process the data in accordance with your business purpose(s). Critically your company must also have in place a data breach plan that will allow you to meet the data protection authority’s breach reporting timescale of 72 hours.

Vendor compliance is an area that many companies are asking for help with.

Data Breach Incident Response Plan

As mentioned in the vendor contracts section. The GDPR requires that you are able to notify the Data Protection Authority and, where required, data subjects of a data breach within 72 hours of its discovery. Having helped companies deal with data and cybersecurity incidents I can assure you that 3 days is not a long time in these situations and your process needs to be honed and practised to ensure that you are able to provide the right level of information within the 72-hour timeframe. This includes information such as:

- The size of the breach (how many personal data records have been lost)
- The likely impact of the breach on the data subjects
- The nature of the breach (was it as result of a theft or a hack etc.)
- The action that has been taken so far

Implementing incident response plans and ensuring that they are appropriate to the company’s needs is an area that firms often need help with.

Computer Systems

Organisation’s computer systems need to be changed to ensure they are GDPR compliant and can cater for all of the rights of the data subject. For in-house systems, this means that in-house teams are going to be very busy making the changes required.

Where systems are provided by third-party vendors, companies need to ensure that these suppliers are performing the updates required to ensure that the systems will still be fit for purpose.

Irrespective of who is performing the changes there is likely to be a project required to ensure that systems are tested and that their implementation is scheduled (release slots for some organisations are in constraint now), so that the systems are live in time for May 25th, whilst causing the minimum disruption to normal business operations.

Business Processes to Provide Data Subject’s Rights

The rights of the data subject have been added to and enhanced from those in the Data Protection Directive. This means that your organisation needs to ensure that new business processes have been designed and implemented and that existing ones have been checked to ensure that they are compliant with and provide the protection and access to data to the data subject that the GDPR intends.

Data Privacy Policy

Most business’ have a data privacy policy these days, these will need to be updated though to ensure they recognise the requirements of the GDPR.

Business Continuity Policy

A business continuity policy and plan is vital to ensuring data protection and the availability of data required by the GDPR. This is a requirement that has been overlooked by many companies, which now realise that they need help to make and demonstrate these abilities.

Data Retention Policy

Under the GDPR data can only be retained for the time that it is required in order to provide the purpose that the data subject gave their consent for.

Having a demonstrable data retention policy and capability, which is aligned with the business requirements and the privacy notice, is likely to involve many parts of your business.

One tip here – don’t forget about your data archives or backups that may be retained for an extended period of time.

Data Protection Officer (DPO)

All organisations will need someone who is a named contact point for their Data Protection Authority; this is at the minimal requirements end of a DPO spectrum. For larger companies, those processing more than 5000 personal information records annually or those processing sensitive personal information, will all need someone who ensures that the compliance of the organisation with the GDPR is responsible for the management of data breaches and many other processes.

This is an area that Fifth Step helps many of its clients with, providing its Data Protection Officer service.

Your Next Step

If you would like more information about Fifth Step and how we can help you with your GDPR assessments, GDPR change projects and providing you with a flexible and fractional DPO then please contact us at www.fifthstep.com or by email enquiries@fifthstep.com.