GDPR: Accountability Can't Be Outsourced

Clare Sadler, TORI Associate and Information Lifecycle Governance Principal Consultant, gives us her views on GDPR...

Marching towards companies is the EU General Data Protection Regulation (GDPR) – or for those in the UK who have been hoping Brexit would mean they don’t have to worry about this, think the new Data Protection Bill. GDPR is applicable to all companies that are in the EU or process EU personal data (also commonly referred to as personally identifiable information (PII)). Personal data, or PII, is data that enables you to identify an individual - be they staff, customer or prospect. Therefore, any company that is in Europe or has staff, customers or prospects in Europe, is affected. The word ‘process’ is also one to note. The definition of ‘process’ covers a variety of aspects, including ‘storing’ – so simply by storing EU personal data, or PII, an organisation comes under the remit of the GDPR.

The GDPR is trying to bring regulation up to date to protect the rights of us as individuals given the data-heavy world in which we live, as well as providing a common set of standards for data privacy across the EU to support seamless processing across organisations. Unfortunately, there is a lot of excitement for the wrong reasons around GDPR. The huge fines that the ICO are just waiting to unleash on unsuspecting organisations, and the need to have consent in order to have anything to do with personal data, are the most common myths and scare tactics that are flying around. Whilst there is a kernel of truth to these (the fines available to levy have been substantially increased and the bar for consent has indeed been raised), the GDPR is actually about building on what organisations should have been doing (and often haven’t) to meet the Data Protection Act, extending certain elements and making organisations accountable. Accountability is the new principle in the GDPR and accountability can’t be outsourced. So not only do organisations need to be compliant, they need to be able to evidence compliance.

GDPR readiness in practice

Becoming GDPR compliant involves looking across the operating model when it comes to managing personal data. We recently worked with a global law firm to help them on their journey towards GDPR compliance. A law firm you might think – surely, they know what to do about GDPR… And when it comes to legal interpretation of the regulation, of course they do. However, this firm also recognised the benefits that being GDPR compliant could bring, both commercially and from a reputational perspective, and that they needed other skill sets to achieve that. We undertook a current state assessment looking across their policies, speaking with stakeholders to understand how these translated into process and practice, and mapped their application estate, using this to develop a risk-based GDPR roadmap. Personal data is a subset of information that needs to be managed through its lifecycle – create it, classify it, store it safely and compliantly, retrieve it, and dispose of it. As such, strong Information Lifecycle Governance (ILG) practices underpin GDPR compliance and we paid particular attention to the ILG policies and practices. As with most organisations, there were aspects that were done well, aspects that were weaker and findings that were unexpected. The amount of data that is transferred to vendors for processing is one that surprises many organisations, and with this firm it was no different. GDPR has extra-jurisdictional applicability – which means that organisations need to understand where personal data is moving out of the EU and ensure the appropriate safe-guards are in place. It also places greater obligations on Data Processors as well as Controllers, and Data Controllers need to work closely with their Data Processors to ensure that all requirements can be met. By making transparent what they already had, what core components needed to be put in place, and the areas of highest risk, we were able to construct a clear roadmap for the global law firm to move towards compliance.

GDPR feels daunting for many organisations. No wonder, as data is everywhere and historically has been poorly managed and governed by most organisations. GDPR is forcing organisations to start addressing this data and information management deficit. But if, like the firm we worked with, organisations can think about what GDPR means to them and get started on the journey, this will already stand them in good stead for that looming deadline of 25th May 2018.

Want to talk more about the impact GDPR will have on your business, and how to get started on your compliance journey? Get in touch: