EU LawPrivacy & Data Security

Data Protection: Why the GDPR changes everything – Part 2

GDPR data protection

In Part 1, I described what the new General Data Protection Regulation (GDPR) is. The GDPR is the new EU-wide data protection and privacy legislation that comes into force across the EU in May 2018. Part 1 also discussed the first step an organisation should take on the road to GDPR compliance. Step 1 is an assessment of where your organisation currently stands in relation to data protection and security.

In this part I will discuss steps 2 to 4 in the road to GDPR compliance – gap analysis, remediation and adherence.

2. Gap Analysis – find what shortfalls exist

The gap analysis follows the assessment phase. It is a comparative study between your organisation’s current data-related environment and the future compliant environment described in the GDPR. In essence step 2 establishes the delta between the two scenarios.

The results of the completed gap analysis reveal if your organisation is compliant with GDPR and is a template for future remediation activities you will need to carry out. Before completing a gap analysis, it is important that an organisation has an understanding of the topics and areas covered under the GDPR.

The following three-step process can identify the gaps:

  1. Analyse your organisation’s current situation
  2. Identify the desired future state of compliance your organisation wishes to reach with the GDPR
  3. Determine the differences between (1) and (2) above

Completing (1) to (3) above will help you determine whether or not your organisation is currently GDPR compliant. If a requirement of the GDPR is not being met, a gap exists which requires remediation. The remediation is step 3 – the implementation of the missing requirement(s).

3. Remediation – fix the deficiences

Once you have identified any gaps in your compliance with current EU law and the GDPR from your assessment, it is time to take compliance and corrective actions.

The GDPR will require some organisations to appoint a DPO where the core activities of an organisation consist of processing data through regularly monitoring individuals on a large scale. A DPO will ensure an organisation is aware of, and complies with, its data protection responsibilities.

Remediation involves the creation of an action plan that will bridge the documented gaps. This plan facilitates moving from a state of non-compliance with the GDPR to a compliant environment.

Your organisation should promptly rectify deficiencies revealed from the assessment of data-related matters. Possible actions include hardware upgrades, data storage projects, and improvements to software security.

Software

Your organisation may need to adapt its software and systems to enable it to capture your end users consent that they provide by clear affirmative action, such as box ticking. Your software and systems must facilitate the individual’s right to withdraw consent or to object to processing on the grounds of legitimate interest.

Security

Security measures specified under the GDPR can be integrated into the processing system, such as encryption or pseudonymisation of data.

Your organisation may also need to amend its security protocol to minimise the processing of personal data, increase transparency with regard to the processing of personal data and enable the controller to create and improve security features.

With respect to notification rules, template security breach notifications and security breach response plans should be prepared to ensure compliance with notification rules.

Contracts and Policies

Organisations can take action in respect of their contracting by preparing template processing and sub-processing agreement provisions to cover the GDPR’s expanded requirements in respect of security and breach notification.

Many of your existing contracts may need to be renegotiated to accommodate the GDPR’s expanded requirement. As such, work needs to start now with your legal advisers.

Drafting or amending your organisation’s compliance suite of documentation can begin with respect to data breach register, data governance records and privacy impact assessments.

Subject access request (SAR) handling policies will also need to be updated to reflect the expanded categories of information to be provided to individuals and reduced response times in which to do so required under the GDPR.

Training

Personnel training on data protection should be updated in order to familiarise employees with security protocol and noti cation obligations.

4. Adherence – keeping compliant

Once an organisation has taken the actions for GDPR compliance under steps 1 – 3, the final step is adherence and maintaining this status.

Adherence requires on-going continued efforts on the part of an organisation and it’s Data Protection Officer (if one is appointed).

Any new business initiatives should be reviewed to assess their impact. This will help ensure ongoing compliance with the GDPR.

Compliant organisations will also require sustained engagement and monitoring from legal, regulatory and IT perspectives to ensure that current and future data-related activities meet GDPR standards.

The ‘one-stop-shop’ mechanism implemented by the GDPR means that organisations will be subject to a single supervisory authority, even where they have a number of establishments across Europe. Each supervisory authority has the power to carry out investigations in the form of data protection audits. They may access any premises and review any data processing equipment and means, thus rendering on-going GDPR compliance as critical.

Organisations that control personal data are required to maintain a record of any personal data breaches to enable the supervisory authority to verify compliance with the controller’s noti cation obligation.

The GDPR introduces new concepts of privacy by design and privacy by default.

Privacy by design requires organisations to consider privacy measures during the embryonic stages of the product design processes.

Privacy by default requires data controllers to ensure that, by default, only necessary data is processed.
To make sure that organisations are able to maintain their data protection obligations, these concepts should be incorporated into the D.N.A. of an organisation, throughout the development, design, selection and use of applications, services and products.

What’s next for General Data Protection Regulation?

The General Data Protection Regulation (GDPR) will have a big impact on European organisations when it comes into effect on 25 May 2018.

The road to compliance will involve the implementation of, and continuous adherence to, a purposeful methodology –  I recommend the 4 step process of assessment, gap analysis, remediation and adherence described in this article.

While Part 1 and Part 2 of this article outline what you need to be do from a legal, regulatory and IT perspective, compliance with GDPR is not a box ticking exercise. True GDPR compliance can only be achieved by working with experienced professional advisers to help you arrive at and maintain GDPR conformity.

Parts of this article are adapted from the Your GDPR Journey: A Practical Guide that I produced in collaboration with Saros Consulting in Ireland.

Photo credit: Pixabay

Leave a Reply