Major changes to how businesses handle data are coming. Are you ready?
The General Data Protection Regulations (GDPR) come into force on 25 May 2018. They will affect every business (sole trader to corporation), charity and public sector body that processes or holds personal data of EU citizens, regardless of where in the world it is based.
Elizabeth Denham, UK Information Commissioner, views it as ‘the gold standard for data protection’, stating ‘Europe has taken the best elements of data protection from the previous Directive and added other concepts that are innovative and represent the best practices from around the world … Embedded into law are privacy by design and default, data breach notification, privacy impact assessments, data protection officers and accountability’ coupled with ‘very meaningful enforcement mechanisms through substantial fines’.
She’s not kidding! With a requirement to report breaches that pose a risk to individuals to the Data Protection Authority within 72 hours (and to the individuals concerned without undue delay), and fines up to the greater of €20m or 4% of prior financial year global turnover (revenue), regulators are serious about ensuring compliance!
Personal data is any information that could be used to recognise someone: photographs, IP addresses, genetic profiles in addition to traditional economic, medical or identity information.
Key empowering ‘Rights’ for individuals and ‘Obligations’ for organisations include:
Right to access: on request, organisations must confirm if they’re processing an individual’s data, where, why and provide a free electronic copy of data concerned.
Right to be forgotten: consent withdrawal including erasure and halting 3rd party processing/further data dissemination; unless overriding ‘public interest in the availability of the data’ (for example accounting/tax/HSE records would still need to be retained in a situation where a customer/employee requested to be forgotten). Where there’s an overriding interest, it’s likely the data will have to be retained for the required period but cannot be used other than for the legal purpose for which it’s been held.
Right to data portability: provision of personal data in a ‘commonly used and machine readable format’ to competitor/3rd party on a subject’s request. This will make comparison websites and supplier switches much more accurate based on actual data.
Privacy by design: ‘built in, not bolted on’ data protection with privacy impact assessments evidenced for higher risk activities. Organisations need controls that are both effective and fit for purpose. They will include manual and IT solutions that: minimise personal data collected; and process only to the extent necessary. They will also restrict data access to essential personnel. Data lifecycle management is essential!
Data Protection Officers (DPO) required for: Public Authorities/Organisations performing systematic monitoring of personal data/large scale processing of sensitive personal data; or special categories of data (eg criminal convictions/offences). Appointed DPO MUST have:
expert current knowledge on Data Protection law/practices
adequate resources to effect compliance
direct reporting to top-level management
no role conflicting interests
be notified to the Data Protection Authority.
Consent management: requires distinct, unambiguous, plain language statement recording data gathering/processing purpose with explicit consent for processing sensitive personal data. Withdrawal must be as easy as provision. Parental consent required for online services data processing of under-16s although member states may legislate that down to 13.
Data Transfer outside EU: Non-EU controllers may have to appoint EU representative; equivalence requirements must be met.
Pseudonymised data, for statistical research, is not subject to regulation providing segregated storage of decryption key and data.
Doing nothing isn’t an option!
So what should internal audit be doing at this point?
First, check it’s on management’s radar and they are already considering how and when they need to take action in order to be ready for the changes.
Remember if your organisation fails to get marketing consent before the deadline, you may be breaking the law by asking for it afterwards, so preparation is key!
Are the right departments (legal, IT, marketing, HR etc) involved?
Have you established if you need a DPO? If so, do you know who will perform that role (will it be an in-house position or outsourced to a specialist)?
Do you know what data you hold, whether or not it’s sensitive, where it’s held, what it’s used for, who is processing it and for what purposes and can you evidence informed consent? If someone asks for it, can you easily retrieve to provide it?
If you have foreign subsidiaries or controllers then are they aware that the legislation is extra-territorial? What training do you need to put in place to ensure they don’t breach the regulation bearing in mind the fines will be based on global turnover so damages could be punitive if an insignificant subsidiary causes a breach?
A lot of focus is on the IT compliance side of GDPR at the moment but actually the legal and business risks should probably take precedence to establish the extent of legislative exposure for your entity and the risk appetite of how you control that risk. The IT solutions will then be obvious as part of the next step in your controlling strategy.
Schedule your ‘go live readiness’ audit early enough to enable remediation if you find the business isn’t ... and be ready to audit compliance controls across your organisation (including foreign subsidiaries or controllers) at least until you are sure the controls are effectively embedded and operationally sound.
Sarah Pumfrett FCCA – Vice Chair, ACCA UK Internal Audit Network Panel