Data Protection Awareness Day 2017! #DPD17

• by Ellie Hurst
• Advent IM Blog

We have enjoyed getting involved with Data Protection Awareness Day over the last few years and with GDPR fast approaching (next year…!), it is more important than ever to raise awareness of the importance of good quality Data Protection practices.  Sometimes our contributions are serious, sometimes lighthearted but they are always useful and containing good quality tips you can share with your business and colleagues.

This year, we have asked our resident Data Protection guru and Senior Security Consultant, Mark Jones, to turn his expert eye on preparing for GDPR and talk us through some of the requirements and provide some guidance for everyone….

Preparing for the EU General Data Protection Regulation

The coming changes to the Data Protection Act 1998 (DPA98) in the form of the EU Data Protection Regulation (GDPR) are well overdue in bringing data protection processes up to date to meet modern day requirements.
For the first time, the threat of significant fines and penalties to companies in breaching or being non-compliant with the Regulation (could be up to 4% of annual worldwide turnover or up to 20 million Euros, whichever is the higher) has led to it being firmly placed on the Corporate Risk Register with the full attention of the Board. In addition, there are significant new requirements for Accountability and additional Rights to Data Subjects seeking compensation from violations of the Regulation together with other changes.
So, what should organisations do now as a matter of priority? We would recommend the following immediate actions:

1. Assess your current position – carry out an audit to baseline current processing of personal data and sensitive personal data to the DPA98 as it stands now. Develop Data Flow diagrams showing the movement of such data within your organisation. This will show where data is held, who has access to it and enable legal requirements to be addressed.
2. Review your data processes – including security breach reporting, use of Data Protection Impact Assessments and review 3rd party contract clauses relating to data Protection and information security.
3. Review Data Protection documentation – including relevant policies and notices including Fair Processing Notices that include the additional rights of the Data Subjects.
4. Ensure accountability – Data Controllers are responsible for demonstrating compliance with the GDPR and so need to engage with the business’s strategy in the medium and long term and make a record of how that is evidenced (documented). A good document management system is key to demonstrating accountability and ongoing compliance.
5. Engage with Senior Management – to prepare them for the likely implications regarding the GDPR’s position on Extraterritoriality i.e. if monitoring or offering goods and services to EEA Data Subjects then GDPR applies regardless of where the company is based. Review and revise Insurance / Indemnities.
6. Implement ‘data protection by design’ in software development – for all planned systems that will process personal data that will meet the inherent requirements of the GDPR e.g. use of cryptographic techniques.
7. Develop and implement staff training programmes – to enable them to understand their own specific responsibilities in maintaining company compliance with the GDPR.
8. Plan regular data protection audits – at least annually to ensure continued compliance.
9. Be transparent in your actions – transparency builds trust so ensure both employees and customers know how you are processing their personal data and keeping it secure through robust security measures. Trust can assist businesses in gaining competitive advantage.
10. Start planning now – the Regulation must be implemented no later than 25th May 2018 regardless of Brexit negotiations, which themselves won’t complete until 2019 at the earliest.

The above is just a starting point for ensuring your business meets the requirements of the GDPR – ensure you don’t leave it too late and as the new Information Commissioner Elizabeth Denham stated recently ‘The personal information economy can be a ‘win win’ situation for everyone. Get it right, both consumers and business benefits.’ Start NOW!