Prepare for the GDPR

The EU General Data Protection Regulation – three key features your organisation needs to know

By Ardi Kolah LL.M
Co-Director, GDPR Transition Programme, Henley Business School

It’s been five years since the European Commission proposed a radical overhaul of Europe’s out-of-date data protection laws, but the EU General Data Protection Regulation (GDPR) has now come into force.
The GDPR creates the legal framework for the operation of the Digital Single Market, as well as helping to create a level playing field by sweeping away 28 different data protection and privacy laws across individual EU member states and replacing them with this one EU regulation.

It’s not perfect, of course, and many of its critics complain that data subjects have been given too much power over organisations that are simply trying to make a living by exploiting the opportunities for using data to drive their businesses and serve their customers.
However, what’s really clear is that the GDPR poses a significant threat to business continuity if data controllers and data processors get this stuff wrong; administrative fines can be up to an eye-watering 4% of global turnover or €20m.
This is a quantum leap in financial sanctions available today. It’s also a very clear sign that supervisory authorities have got much sharper teeth with which to enforce compliance, so it will pay to keep on the right side of the Information Commissioner’s Office (ICO), and the Financial Conduct Authority (FCA) for that matter.

At 260 pages in length, with 99 Articles and over 100 pages of explanatory notes known as ‘Annexes’, the GDPR is roughly three times the length of the Data Protection Act 1998 it is replacing. And even post-Brexit, all UK financial services organisation doing business in the EU area will need to comply with the GDPR.

There are many features of the GDPR, but these are three big ones:
1. Removal of the requirement of the data controller to notify or seek approval of personal data processing from the Data Protection Authority (DPA). Although this cuts ‘red tape’, the GDPR actually places a higher duty on organisations to put in place effective procedures and mechanisms focusing more on high-risk operations (e.g. involving new technologies) and carry out a data protection impact assessment (DPIA) across the whole organisation rather than on a project basis.

2. Data processors (such as cloud service providers) now have direct obligations and this includes implementing technical and organisational measures, as well as notifying the data controller without undue delay when there’s a personal data breach, which now must be reported to the supervisory authority within 72 hours.

3. In certain circumstances, both data controllers and data processors must designate a data protection officer (DPO). This is the new breed of senior manager who is independent and, although the DPO reports to the highest level of management authority, in reality, they are a mini-regulator sitting in the company. Any financial services organisation that’s regularly and systematically monitoring and processing personal data of its customers/clients will need to appoint a DPO or hire a freelance DPO to do the job.

Eight things you should do NOW to prepare for life under the GDPR

1. Carry out a Data Protection Impact Assessment (DPIA) ‘Lite’
Quickly undertake an audit of all personal data processing activities carried out now or planned to be carried out in the future. Is this personal data processing being conducted with the consent of the data subject or under ‘legitimate interest’ that hasn’t been overridden by the interests of the data subject?

The burden of proof is now on the data controller to show evidence of consent, which needs to be unambiguous and, in the case of processing of ‘special personal data’, such as sensitive financial data, consent must be explicit.
Notices in ordinary language, the time period for which consent has been given, as well as the purpose for which the personal data can be used all need to be properly recorded.

Use the transition period intelligently by carrying out re-consenting of existing customers and clients, so that you show you take their data protection seriously.

2. Check all supplier contracts with data processors to ensure they are GDPR compliant
Data controllers can’t pass the buck when things go wrong and blame the data processor as they may have tried to do in the past. They now both share joint and several liability for personal data breaches.

The data controller entering into long-term commercial arrangements (24 months or more) must check these comply with the GDPR to be on the safe side and also ensure that the data processor acts in accordance with the GDPR, otherwise will be liable for a big administrative fine.
This extends to visiting the premises of the data processor and ensuring appropriate security measures against physical harm or damage from flooding, for example, are in place.

3. Check all data protection policies, processes and procedures
The GDPR requires that information provided to the data subject is in clear and understandable language and that your policies should be transparent and easily accessible.

Assuming that you complied with the provisions under the Data Protection Act 1998 doesn’t mean that you will comply with the GDPR. Ensure that you have clear policies in place to prove that you meet the new standards.

4. Hire yourself a top-flight Data Protection Officer
Join the queue of financial services organisations that want to get their hands on a top-flight Data Protection Officer (DPO). Be aware though that there’s a significant shortage of DPOs in Europe who can do the job and they may command a large pay packet.

So, as a cost effective option, consider executive education and training of a senior manager who could become the organisation’s DPO.
The caveat here is that they can’t have any conflict of interest and can’t take instructions from the senior management team in the exercise of their duties and responsibilities.

Alternatively, hire the services of a freelance DPO, but make sure they have the right credentials to do the job. Under the GDPR, the DPO must maintain their knowledge and experience in order for the organisation to be compliant otherwise it’s another administrative fine!

5. Practise the way you’ll deal with a personal data breach when it happens
There’s a saying that ‘practice makes perfect’ and certainly a key task of the DPO is to put in place clear policies and well-practised procedures to ensure that the organisation can react quickly to any personal data breach and notify the supervisory authority, regulator and data subject in time, where required.

It also helps to ensure that the organisation adopts a risk-based approach to personal data protection and avoids confrontation internally between the DPO and the senior management team.
Data protection awareness training and specialist technical training on a regular basis is mandated as a key responsibility of the DPO under the GDPR.

6. Become a champion for transforming the culture in your company
This is perhaps one of the hardest things to do and it’s implicit in reading the GDPR that organisations must be seen to behave ethically and appropriately, as well as doing the right thing because it’s the right thing to do.

This is about leadership and the senior management team (SMT) must be seen to be taking the lead here, supported by the DPO. The SMT needs to foster a culture of monitoring, reviewing and assessing data processing procedures – with the aim of minimising personal data processing and retention of data, and to build in safeguards.

7. Ensure privacy by design and by default
This is a principle of the GDPR and must be embedded into any new personal data processing or financial services product. This needs to be thought about early in the process to enable a structured assessment and systematic validation. Implementing privacy by design can both demonstrate compliance and create sustainable competitive advantage. Failure to adhere to this principle will result in products and services offered in the digital market being unlawful.

8. Handle cross-border personal data transfers with extreme care!
This is a problematic legal area. With any international personal data transfers, including intra-group transfers, it will be important to check that the data controller has a lawful basis for transferring personal data to jurisdictions that are on an ‘approved’ countries list and are deemed to have adequate personal data protection.

Getting this wrong could attract a fine of up to 4% of annual worldwide turnover, so the consequences could be severe, not just financially but also from a reputation perspective.

In conclusion, the data controller needs to evaluate the specific risks to the data subject laid out in the GDPR and, as a result, the risk to the organisation for processing this personal data.

If you’d like to learn more about the GDPR Transition Programme and how this can help ensure that your DPO is up to date in this rapidly evolving area, contact Ardi Kolah LLM, Co-Director, GDPR Transition Programme, Henley Business School on +44()77100 77941 / 0208 542 8786 and email: