GDPR: What we’ve learnt so far

Following its introduction back in May, we are now some four months into the General Data Protection Regulation (GDPR) and it remains a hot topic with clients. Whilst the furore of the May deadline has been and gone, does the appetite to become or even remain GDPR compliant still exist?

Since May, our team has been spending time ensuring our clients’ preparations are well executed and helping them provide a clear picture of where their data exists. The interesting aspect to this is that no matter the organisation, or goals associated with it, they all have personal data that requires protection of varying degrees. Some make their business about the personal data, some need the data to enable business and some have it to operate a business.

GDPR compliance is an ongoing process and will require an ongoing effort. Organisations have had two years to prepare for the regulations and yet many have only just started their compliance journey. While this is not ideal, it is likely that the Information Commissioners Office (ICO) will not tolerate non-compliance.

So what have we seen so far? Several common themes have emerged that we thought would be useful to share:

Breach and incident reporting

The processes to support the identification of and subsequent reporting of a breach, loss or incident to the ICO have not been robust enough to report in a timely manner. That – coupled with a lack of coordinated involvement, role responsibility and a “what happens if” plan – has put organisations at risk of falling at the first hurdle when reporting within the mandatory 72 hours deadline.

Data Protection Officer (appointed internally or externally)

Small, medium or large organisations have all found this area challenging. Articles within the GDPR state that an independent person should be appointed and have responsibility for managing the protection of data and acting on the organisation’s behalf in regard to all matters relating to data protection. This single resource can be quite draining, expensive and doesn’t often exist within organisations. Moreover, there is confusion around ownership of all data protection activity, both at operational and board level.

Third party assurance

Most organisations were successful in identifying where their personal data is, during transit, at rest and when in use. However, some have forgone responsibility for the data once it is handed over to a third party. This is simply no longer acceptable and is a dangerous weakness in the controls that should be in place. Upon review, several clients did not have contractual requirements outlining the security and protection standards afforded to personal data found in service agreements. Many clients had not considered due diligence within their supply chain and the use of third parties to ensure compliance.

Myth buster: Technology is not enough
Technology alone cannot solve your compliance questions, lawyers can certainly position you legally and assist with those aspects within the regulations such as the bases for processing and contractual agreements. Insurance companies can offer some level of protection, but only the organisation itself can do the real work required: it is not easy but it is achievable.

Richard Bell, our Privacy & Security Director, said: “We work closely with decision-makers assisting them with the implementation of data privacy measures. We help audit their compliance obligations and resiliency by testing systems, processes and infrastructure.”

Our team offers support and assists with an organisation’s GDPR compliance, cybersecurity and incident response measures, including:
• A complete review and/or developing a framework of policies and procedures needed to ensure GDPR compliance
• Provide a plan for Data Protection or Privacy by Design documentation
• Implement a regular review of security access and controls to ensure privacy and security of personal data
• Help organisations develop a staff training and awareness programme
• Provide leadership support and a business focal point for training to all staff on GDPR matters
• Support the regular testing regime of breach and incident response including specific development of bespoke desktop and playbook exercises to test decision making procedures
• Develop a communication plan for internal and external messaging to clients and staff, offering specific support for press and media handling
• Conduct information and security audits across the business to review, identify and assess known and unknown risks, including site visits, physical security reviews and provide an assurance opinion
• Ongoing virtual support and communication and reporting on the current state of the organisation
• Dedicated data protection experts who can provide real-time assurance through the provision of appropriate reporting mechanisms