Preparation and stages to consider ahead of GDPR
Maria was the Head of Marine, Trade and Energy at Hill Dickinson LLP. Based in London and travelling frequently to meet her client base, she was very much involved in advising on GDPR across a whole spectrum of industries and clients. She shed light on the questions we are currently raising as regards the new General Data Protection Regulation, which will come into effect on the 25th of May 2018. Maria passed away a month after this interview but her legacy remains.
Muriel: “What is GDPR and where can we read more about it?”
It strengthens the rights relating to the personal data of living identifiable individuals (data subjects) whose data is processed by companies established in the EU, regardless of where the individual lives. It also applies to data subjects in the EU where the processing activities by non EU organisations relates to the offering of goods and services in the EU (even if it is for free) or monitoring of behaviour in the EU.
GDPR increases the obligations of companies and increases sanctions for non-compliance to 2% of worldwide turnover or €10m (whichever is the higher) for some offences and 4% of gross worldwide turnover or €20m (whichever is higher) for other offences.
One of the most significant changes is the accountability principle which requires you to show how you comply with the GDPR principles. The best place to start is the Regulation and the website of the supervisory authority in the country where you have your main establishment."
Muriel: “What types of Organizations in terms of industry and size, are affected by the changes of the new Regulation?”
Maria: “All organisations, regardless of size, are affected by GDPR. The scale of change required to the operation of the business and the policies and procedures depends on what is in place at present to comply with the present Directive, the size of the business, the amount and type of personal data being processed. Organisations with more than 250 employees have more onerous obligations in documenting compliance to demonstrate compliance.”
Muriel: “What is a DPO and who should hire or consult with a DPO?”
Maria: “A DPO is a Data Protection Officer and has responsibility to inform an organisation and its employees about their obligations to comply with GDPR and other relevant Data Protection Laws.
His responsibilities include monitoring compliance, advising on impact assessments, ensuring staffs are trained and internal audits are conducted. The DPO is also the first point of contact for the supervisory authority and individuals whose data is being processed.
Article 37 makes it mandatory for a DPO to be appointed where the organisation is a public authority or it carries out large scale, systematic monitoring of individuals or large scale processing of sensitive data or data relating to criminal convictions and offences. Most commercial companies will not come within these provisions. Large companies who process a large amount of personal data including sensitive data should consider appointing a DPO voluntarily, as part of their risk management processes, to comply with their overall GDPR obligations.”
Muriel: “Are individuals who maintain business and client information on their home laptops concerned by this decision?”
Maria: “GDPR does not apply in the domestic context. It does apply to businesses and the use of home computers, personal phones and other devices on which company data relating to data subjects can be accessed.
The security requirements of Article 32 require companies to make sure such data is adequately protected. This requires adequate technical and organisational measures to be considered and implemented.”
Muriel: “What about Organizations that circulate Newsletters and E-Magazines, for instance? Do they need to appoint a DPO?”
Maria: “Circulating Newsletters to subscribers, maintaining emails received from business cards, is not the criteria for mandatory appointment of a DPO. As set out above, Article 37 is very specific as to when a DPO has to be appointed.”
Muriel: “What will happen as of the 26th of May 2018? Who will be checking the application of the new Regulation and what are the fines that may be applied?”
Maria: “Enforcement will be the function of the supervisory authority. Organisations need to register with their supervisory authority and liaise with them as to the implementation and guidance.
Some supervisory authorities are issuing helpful guidance and running training courses. As stated above, the fines for serious breaches can be as high as 4% of gross worldwide turnover or €20m, whichever is the higher.”
Muriel: “Right now, what shall Organizations start doing? Is there a questionnaire that can help people assess risk and evaluate the level of information they may be using, storing or transmitting?”
Maria: “The amount of preparation will depend on the amount of personal data processed, transfer of personal data to other organisations and the size of the business. A questionnaire / audit is useful. The stages to consider for large organisations are as follows:
Phase 1: Awareness, information audit / risk assessment
- GDPR awareness and training from Board downwards;
- Review / audit personal data collected and processed at present, what you have, why, who sees it, who needs to see it, how long it needs to be kept, its accuracy, lawfulness, whether consent is obtained, whether shared, sent to third countries or cross border, etc.;
- Assess risk, looking at what controls are in place now and what further controls are needed;
- Data Impact Protection Assessment, where data processing gives rise to a high risk to individuals.
Phase 2: Make decisions
- Assess the results, consult and make policy decisions, i.e. whether to have a DPO, whether consent is required, lawfulness of processing, etc.
Phase 3: Develop policies, procedures and documents
- Identify and consider guidelines of and consult with supervisory authority;
- Consider employees’ and others provision of information, access, verification, rectification, erasure rights under GDPR and develop procedures and forms which justify policies made;
- Draft policies and procedures, to include reporting, audits, transfer of data, informing third parties of changes;
- Seek to cover the issues in the employment contracts, contracts with suppliers, consumers, business partners, etc.;
- Map out joiner, mover, access recertification, and leaver processes from the data asset perspective;
- Identify and consider guidelines of and consult with supervisory authority;
- Check and approve any contracts or agreements with third parties that may handle personal data;
- Procedures to keep the Board updated about data protection responsibilities, risks and issues;
- Programme to review all data protection procedures and related policies, in line with an agreed schedule;
- Procedures to detect, report and investigate breaches;
- Crisis management / continuity plan.
Phase 4: Review security
- Review security of processing;
- Review IT and cyber security and processes.
Phase 5: Training and governance
- Training of data controller, data processor and DPO if appointed on their GDPR responsibilities and procedures;
- Training of employees;
- Handling data protection questions from staff and anyone else covered by the policy;
- Education / notification of suppliers, business partners, etc.;
- Review / audit compliance;
- Reports to the Board;
- Crisis management drill;
- Consider Cyber insurance.
Small businesses need to consider how much of this is relevant to them.”
Maria Pittordis was born in Cyprus and was residing in the UK. She was the Global Head of the Marine, Trade and Energy Division of Hill Dickinson LLP. Her focus was on commercial, litigation, casualty response and regulatory including EU Directives and Regulations. Maria had been involved in advising on GDPR across a whole spectrum of industries and clients. Maria passed away in October 2017 but her legacy remains.
If you enjoyed this interview, share it with your friends so they can benefit from it as well and visit my Blog for more free resources!
Muriel Matta (BSc, MSc, MPhil, Cert CTT Practitioner) is the Founder of Maravilhosa.
She is a multilingual Human Resources Management expert, with extensive cross-cultural experience, spanning 26 years in MENA, Europe and CIS.
Through her work with Organizations and Individuals, she helps solve the toughest HR challenges by customizing unique training and coaching solutions to inspire change, positive thinking and transformation.
Muriel can be contacted via email: Muriel@maravilhosa.net