Complying with the EU General Data Protection Regulation your first steps

Complying with the EU General Data Protection Regulation – your first steps

By Ardi Kolah LLM, Co-Director, GDPR Transition Programme, Henley Business School

Eight things you should do NOW to prepare for life under the GDPR

1. Carry out a Data Protection Impact Assessment (DPIA) ‘Lite’
Quickly undertake an audit of all personal data processing activities carried out now or planned to be carried out in the future. Is this personal data processing being conducted with the consent of the data subject or under ‘legitimate interest’ that hasn’t been overridden by the interests of the data subject?
The burden of proof is now on the data controller to show evidence of consent, which needs to be unambiguous and, in the case of processing of ‘special personal data’, such as sensitive financial data, consent must be explicit.
Notices in ordinary language, the time period for which consent has been given, as well as the purpose for which the personal data can be used, all need to be properly recorded.
Use the transition period intelligently by carrying out re-consenting of existing customers and clients, so that you show you take their data protection seriously.

2. Check all supplier contracts with data processors to ensure they are GDPR-compliant
Data controllers can’t pass the buck when things go wrong and blame the data processor as they may have tried to do in the past. They now both share joint and several liability for personal data breaches.
The data controller entering into long-term commercial arrangements (24 months or more) must check these comply with the GDPR to be on the safe side and also ensure that the data processor acts in accordance with the GDPR, otherwise will be liable for a big administrative fine.
This extends to visiting the premises of the data processor and ensuring appropriate security measures against physical harm or damage from flooding, for example, are in place.

3. Check all data protection policies, processes and procedures
The GDPR requires that information provided to the data subject is in clear and understandable language and that your policies should be transparent and easily accessible.
Assuming that you complied with the provisions under the Data Protection Act 1998 doesn’t mean that you will comply with the GDPR. Ensure that you have clear policies in place to prove that you meet the new standards.

4. Hire yourself a top-flight Data Protection Officer
Join the queue of financial services organisations that want to get their hands on a top-flight Data Protection Officer (DPO). Be aware though that there’s a significant shortage of DPOs in Europe who can do the job, and they may command a large pay packet.
So, as a cost-effective option, consider executive education and training of a senior manager who could become the organisation’s DPO.
The caveat here is that they can’t have any conflict of interest and can’t take instructions from the senior management team in the exercise of their duties and responsibilities.
Alternatively, hire a managed service DPO, but make sure they have the right credentials to do the job. Under the GDPR, the DPO must maintain their knowledge and experience in order for the organisation to be compliant otherwise it’s another administrative fine!

5. Practise the way you’ll deal with a personal data breach when it happens
There’s a saying that ‘practice makes perfect’ and certainly a key task of the DPO is to put in place clear policies and well-practised procedures to ensure that the organisation can react quickly to any personal data breach and notify the supervisory authority, regulator and data subject in time, where required.
It also helps to ensure that the organisation adopts a risk-based approach to personal data protection and avoids confrontation internally between the DPO and the senior management team.
Data protection awareness training and specialist technical training on a regular basis is mandated as a key responsibility of the DPO under the GDPR.

6. Become a champion for transforming the culture in your company
This is perhaps one of the hardest things to do and it’s implicit in reading the GDPR that organisations must be seen to behave ethically and appropriately, as well as doing the right thing because it’s the right thing to do.
This is about leadership and the senior management team (SMT) must be seen to be taking the lead here, supported by the DPO. The SMT needs to foster a culture of monitoring, reviewing and assessing data processing procedures – with the aim of minimising personal data processing and retention of data, and to build in safeguards.

7. Ensure privacy by design and by default
This is a principle of the GDPR and must be embedded into any new personal data processing or financial services product offered in the digital market. This needs to be thought about early in the process to enable a structured assessment and systematic validation. Implementing privacy by design can both demonstrate compliance and create sustainable competitive advantage. It’s unlawful to offer a product or service that doesn’t comply with the GDPR.

8. Handle cross-border personal data transfers with extreme care!
This is a problematic legal area. With any international personal data transfers, including intra-group transfers, it will be important to check that the data controller has a lawful basis for transferring personal data to jurisdictions that are on an ‘approved’ countries list and are deemed to have adequate personal data protection.

Getting this wrong could attract a fine of up to 4% of annual worldwide turnover, so the consequences could be severe, not just financially but also from a reputation perspective.
In conclusion, the data controller needs to evaluate the specific risks to the data subject laid out in the GDPR and, as a result, the risk to the organisation for processing this personal data.

If you’d like to learn more about the GDPR Transition Programme and how this can help ensure that your DPO is up to date in this rapidly evolving area, contact Ardi Kolah LLM, Co-Director, GDPR Transition Programme, Henley Business School on +44 (0)77100 77941 /0208 542 8786 or email