Source: Click here : Science Daily
This paper contains the thoughts of New Link Consulting regarding the enforcement of GDPR from the 25th of May 2018 and how organisations can prepare themselves.
The European Commission has defined personal data as the following:
GDPR grants member states the opportunity to make provisions for how it applies within their country. These provisions in the United Kingdom are contained in the Data Protection Bill that was introduced to Parliament on the 13th September 2017. The Bill includes additional legal recourse for individuals where their data has not been treated appropriately. It is unlikely that Brexit will have a material impact on the implementation and operation of GDPR, especially in the short term, as the UK will still be an EU member state when GDPR becomes enforceable in May 2018.
One of those uses may be to comply with regulations, such as Counter Terrorist Financing or MiFID 2 surveillance, and hence will need to be kept for some time. Requirements will need to be gathered around all intersections between regulations and implemented accordingly to meet compliance. This may also cover the defence against legal claims.
- This is the first step to understand how far from compliance the organisation is. This can be a technical, legal, operational gap analysis and will be suited to the organisation.
- Legal interpretation and opinion into business requirements. This will include all of the relevant sections of the regulation appropriate to the organisation, including where GDPR conflicts with other regulations. What processes and functions in the organisation will need to change to support the regulation? For example, can a function still operate if a subset of personal data is removed?
- Review of the structure of the organisation to confirm if a DPO (Data Protection Officer) is needed.
- Agreements with 3rd Party vendors will need to be reviewed to confirm how they are using personal data from the organisation. They will also need to be integrated into operating models for maintaining or deleting an individual’s data. All rules that apply to an organisation also apply to the 3rd party vendors.
- Operational review – Confirm the processes in place to deal with requests across divisions. Many operations elements will need to be considered.
- Systems review – Mapping out across all divisions within the organisation where personal data exists and identify the usage of that data.
A centralised response team across all appropriate divisions, that have procedures in place in the event of a data breach to ensure that customers and the regulator are informed within 72 hours. By having procedures in place that are prepared for such an eventuality, the reputational damage caused by a breach can be somewhat mitigated. A function will also be required to rapidly investigate which individuals have been affected in order to formulate an appropriate response.
A centralised team should be in place to respond to customer queries. Individuals will be able to approach the organisation to request what data is held about them and what it is used for.
A process will be required to identify individuals’ data from the organisation and remove it for all applicable uses.
A response mechanism to respond to queries from regulators in line with data protection regulations. This will be important as you will need to demonstrate to the regulator how the organisation complies with GDPR
- Change teams across all divisions must ensure that privacy by design is considered in all architectural enhancements.
- For dealing with requests about personal data
- For dealing with breaches
- For dealing with requests to remove personal data
- Process flow for how personal data should be deleted:
- How will other data be affected and will systems still function if clients’ data is removed?
- What processes rely on the data and how will it be able to handle the removal of data from it?
- When deleting a customer from one process but not for others can your processes handle the segregation?
- According to GDPR requirements, organisations must demonstrate that they have implemented appropriate measures to mitigate privacy risks. Even in the absence of a privacy breach or customer complaint, regulators may require firms to exhibit evidence of their compliance and risk management strategies, including a Privacy Impact Assessment (PIA) when appropriate.
All customer and employee agreements to handle data for individuals need to be revisited. This should be done by experienced data protection lawyers to confirm that current contracts and agreements are in line with the regulation. It must be confirmed that individuals have opted in to uses of data rather than consented by default.
Where agreements do not comply with GDPR’s definition of consent this will need to be obtained and may require the majority, if not all, of the customer base to be contacted.
- Systems and processes must be in place to keep track of an organisation’s usage of personal data.
- Data lineage should be established to understand how personal data flows through the organisation’s systems and processes. This would include all of the interfaces between systems and the transformation of personal data.
- Ageing of personal data should be established to ensure it is kept for an appropriate amount of time. This should also ensure that data is kept up to date and verified periodically. If the data is beyond the period of allowable retention for the assigned usage, then it may need to be deleted.
- Ensure GDPR is built into archiving policies and processes.
- Cyber Security must be robust and appropriate to protect individuals’ personal data consistently across all divisions and functions.
- Personal data that physically crosses the EU border will need to be revisited to confirm it is within the boundaries of EU data sharing treaties. Data shared and stored physically in Emerging Markets may be in violation of the regulation.
- It will be important, when implementing a consistent robust operating model, to ensure staff are aware of their responsibilities.
- Training staff will be important to allow change professionals to implement compliant processes that are integrated into the “privacy by design” principle.
- Specific training will need to be provided to those that deal with GDPR in the day to day operation of the business, such as responding to customer queries or regulator requests.
- Staff need to be trained in GDPR to allow them to deal with data privacy in day to day operations and also ensure that it is a cornerstone of future business design.
The following are examples of those considerations:
- Differentiation:
By putting the customer first and showing how personal data is handled will increase an organisation’s credibility.
- Customer experience:
By being fully compliant with GDPR, customers can trust that appropriate safeguards are in place around their data. With increased trust comes a better customer experience.
- Enhanced data asset:
The ability for a business to gain control of personal data will be a driver for a better understanding of all data flows, facilitating improved quality and efficiency. With a cleaner dataset, the business is in a stronger position to make the right decisions.
- Transparency:
With greater transparency around processes, the customer can be better informed about the ways in which their data is used for the benefit of all customers.
- Efficiency:
Cost reduction will arise from transparent and effective handling of personal data. Reducing the overhead of handling data that may be out of date or inaccurate should reduce the complexity and improve the impact of new data-driven initiatives.
- Culture:
The culture in an organisation can greatly benefit from increased transparency and focus on customer-based initiatives, especially in the context of initiatives such as Senior Managers’ Regime,
- Innovation:
Improvements that may result from improved data handling have the potential to be converted into revenue generators.
New Link Consulting has the expertise and practical experience to help you move forward as a GDPR compliant organisation.
Our modular approach can be used to customise assistance where appropriate. Gaps in compliance may already be clear and if so our trusted execution experience will allow the gaps to be closed with confidence.
Our consultants have many years of experience dealing with regulatory and data implementations across the financial sector and beyond. By drawing on a wealth of practical experience we can assure our clients a first rate service.
We can also include assistance from our legal partners to interpret the regulation according to your bespoke needs. Translating these interpretations into requirements that fit your business. Our cyber-security partners are well placed to provide expertise surrounding data storage, usage and security.