Eight things to prepare for life under the GDPR

Eight things you should do NOW to prepare for life under the GDPR

By Ardi Kolah BA(Hons), LL.M, FCIM, FRSA
Programme Co-Director, Data Protection Officer (DPO) Programme, Henley Business School

The EU General Data Protection Regulation (GDPR) has now come into force. It creates the legal framework for the operation of the Digital Single Market and poses a significant threat to business continuity if data controllers and data processors get it wrong; administrative fines can be up to an eye-watering 4% of global turnover or €20m.

This is a quantum leap in financial sanctions available today. It’s also a very clear sign that supervisory authorities have got much sharper teeth with which to enforce compliance, so it will pay to keep on the right side of the Information Commissioner’s Office (ICO), and the Financial Conduct Authority (FCA) for that matter.

Here are eight things that you should do now to prepare: 

Quickly undertake an audit of all personal data processing activities carried out now or planned to be carried out in the future. Is this personal data processing being conducted with the consent of the data subject or under ‘legitimate interest’ that hasn’t been overridden by the interests of the data subject?

The burden of proof is now on the data controller to show evidence of consent, which needs to be unambiguous and, in the case of processing of ‘special’ personal data, such as sensitive financial data, consent must be explicit.

Notices in ordinary language, the time period for which consent has been given, as well as the purpose for which the personal data can be used all need to be properly recorded.

Use the transition period intelligently by carrying out re-consenting of existing customers and clients, so that you show you take their data protection seriously.

Data controllers can’t pass the buck when things go wrong and blame the data processor as they may have tried to do in the past. They now both share joint and several liability for personal data breaches.

The data controller entering into long-term commercial arrangements (24 months or more) must check these comply with the GDPR to be on the safe side and also ensure that the data processor acts in accordance with the GDPR, otherwise will be liable for a big administrative fine.

This extends to visiting the premises of the data processor and ensuring appropriate security measures against physical harm or damage from flooding, for example, are in place.

The GDPR requires that information provided to the data subject is in clear and understandable language and that your policies should be transparent and easily accessible.

Assuming that you complied with the provisions under the Data Protection Act 1998 doesn’t mean that you will comply with the GDPR. Ensure that you have clear policies in place to prove that you meet the new standards.

Join the queue of financial services organisations that want to get their hands on a top-flight Data Protection Officer (DPO). Be aware though that there’s a significant shortage of DPOs in Europe who can do the job and they may command a large pay packet too.

So, as a cost effective option, consider executive education and training of a senior manager who could become the organisation’s DPO.

The caveat here is that they can’t have any conflict of interest and can’t take instructions from the senior management team in the exercise of their duties and responsibilities.

Alternatively, hire the services of a freelance DPO, but make sure they have the right credentials to do the job. Under the GDPR, the DPO must maintain their knowledge and experience in order for the organisation to be compliant otherwise it’s another administrative fine!

There’s a saying that ‘practice makes perfect’ and certainly a key task of the DPO is to put in place clear policies and well practised procedures to ensure that the organisation can react quickly to any personal data breach and notify the supervisory authority, regulator and data subject in time, where required.

It also helps to ensure that the organisation adopts a risk-based approach to personal data protection and avoids confrontation internally between the DPO and the senior management team.

Data protection awareness training and specialist technical training on a regular basis is mandated as a key responsibility of the DPO under the GDPR.

This is perhaps one of the hardest things to do and it’s implicit in reading the GDPR that organisations must be seen to behave ethically and appropriately, as well as doing the right thing because it’s the right thing to do.

This is about leadership and the senior management team (SMT) must be seen to be taking the lead here, supported by the DPO. The SMT needs to foster a culture of monitoring, reviewing and assessing data processing procedures – with the aim of minimising personal data processing and retention of data, and to build in safeguards.

This is a principle of the GDPR and must be embedded into any new personal data processing or financial services product. This needs to be thought about early in the process to enable a structured assessment and systematic validation. Implementing privacy by design can both demonstrate compliance and create sustainable competitive advantage.

This is a problematic legal area. With any international personal data transfers, including intra-group transfers, it will be important to check that the data controller has a lawful basis for transferring personal data to jurisdictions that are on an ‘approved’ countries list and are deemed to have adequate personal data protection.

Getting this wrong could attract a fine of up to 4% of annual worldwide turnover, so the consequences could be severe, not just financially but also from a reputation perspective.

In conclusion, the data controller needs to evaluate the specific risks to the data subject laid out in the GDPR and, as a result, the risk to the organisation for processing this personal data.

If you’d like to learn more about the GDPR Transition Programme and how this can help ensure that your DPO is up to date in this rapidly evolving area, contact us on +44 (0)1491 418767 or email exec@henley.ac.uk

Related links