GDPR post-implementation – what next?

01 November 2018

We explore the common themes and pitfalls of the General Data Protection Regulation (GDPR) implementation and highlight some key areas that require continual attention.

Common themes and pitfalls

The General Data Protection Regulation (GDPR) came into force on 25th May 2018 following a two year transition period, which gave organisations time to prepare and implement the necessary changes.
 
In the months leading up to the deadline, there was an unprecedented level of activity in the market, which was a clear indication of the importance of data protection, the value of data to our working lives and the fear of getting things wrong.

Training

Most firms hadn’t paid serious attention to this in the run-up to implementation, with many stating that they found the technology and terminologies confusing and they didn’t want to draw attention to their lack of knowledge. Others were of the opinion that their staff had fared well under the Data Protection Act 1998, so felt little need to invest in additional training.
 
A lack of training is a significant weak link, which every firm must address. If you visit the ‘Action we’ve taken’ section of the Information Commissioners Office website, you will see that a large proportion of the fines and enforcement that have been issued can be traced back to a single individual, who unknowingly makes an error.
 
It is vital that every firm addresses their weak links before something preventable happens. Appropriate training programmes mitigates risk. It is that simple.

Subject Access Requests (SARs)

The prevailing initial opinions were, “that won’t happen to us”, “why would anyone be interested in what we hold – we only do insurance”, or, “our staff don’t have a problem with our HR so won’t make a SAR.”
 
Firms also commented about not having sufficient resources to attend to requests, not knowing how to recognise a request and not having relevant procedures or training programmes in place.
 
The bottom line is that it’s not optional - you can’t bury your head in the sand and hope that a SAR goes away. Once a request is made, which could be in writing, verbally, digitally, etc., the clock is ticking. If you don’t respond within the appropriate timescale, the ICO will take a very dim view of your approach to data protection.
 
Each firm must be proactive and put a policy and procedure in place for handling SARs. This policy should be strength tested regularly, to ensure that if it is ever needed, you don’t have to waste time working out what to do.

Lack of internal policies or procedures

GDPR challenges each organisation to effectively ‘show their workings out’. What measures have you put in place and why? What systems do you operate and how have you determined their suitability? What steps do you take to protect the data you hold or process?
 
In addition to documenting decisions, the output of these decisions should be captured in policies and procedures which cover all of an organisations processing activity, security measures, staff responsibilities, technologies, etc.
 
The lack of procedures extends to the systems that brokers have in place to manage the data that they hold. For example, many firms did not have any way of identifying the consent statements that were in place when data was collected, or to segment data based upon its retention period.
 
Without an agreed policy or procedure, how do staff and stakeholders know what is required of them? Policies and procedures are a vital component in a firm’s overall governance structure.

Overall security

The ICO has long championed a ‘data protection by design and default’ approach, but many firms still routinely failed to tackle even the most fundamental issues, such as:
 
  • Clean desk policies and record handling
    A number of firms were storing personally identifiable information (PII) in paper form on desks, or in unsecured folders. This presents a significant issue as, not only is the information unsecured, but it is very difficult to identify if a breach has occurred and to determine the impact of any loss.

    The practicalities of active renewal or new business transactions mean that files are printed and left on a desk until completed. A few firms were still using faxes to send information but were not checking to see of if the fax machine was being manned at the recipient’s end, so were sending files without knowing if it was being left on a fax for days on end.

    A further issue was raised by a number of firms, who routinely stored client records in their cars between visits or even for extended periods of time.
  • Physical security
    This was largely satisfactory, with most brokers having appropriate security measures in place and sufficient lockable storage for client records. However, while most had the means to lock storage, not all storage was locked.
  • Digital security
    Again, most of the IT systems in operation today had been well considered, but a number of firms hadn’t paid attention to this in the context of security of portable data e.g. emails being sent with inappropriate attachments, confidential data being worked upon in public spaces which can be viewed e.g. on trains, loud telephone calls discussing clients whilst in a café, etc.

Data

Most firms had not conducted an information audit to identify the data they hold, to determine how it was obtained and to map the flow of information into and out of the organisation.
 
Without knowing what data they held, it was difficult to determine the existing consents or to document data processor agreements or which lawful base for processing would be relied upon under GDPR.
 
Furthermore, having not identified the data held, these firms also failed to consider breach detection. When asked, “could you identify a breach”, the typical response was one of uncertainty.
 
Each firm must protect the data they process, they must document their data processor agreements, they must publish a privacy policy which documents their lawful base, and they must be able to identify a breach if one occurs.

FAQs

The Information Commissioner’s Office (ICO) has issued a raft of guidance that firms can draw from to base their preparations on and further guidance following the consent consultation can be expected shortly.
 
In a nutshell, organisations need to keep records of personal data that they hold/process, keep records of how and when consent was given and what the individual was told, show where the data is going and what it’s being used for, and protect the data they hold.
GDPR has six key principles, which are covered in article 5 of the ICO’s guidance, as follows:
 
“Article 5 of the GDPR requires that personal data shall be:
 
  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
  • processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. 
These six principles are covered by article 5(2), referred to as the accountability principle, which, “requires that the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” 
 
Businesses need to have a clear understanding of what ‘affirmative consent’ means so that they can ensure their marketing activities are GDPR compliant: they will need to ensure they can demonstrate they have ‘affirmative consent’ for each and every one of their new business prospects, whether these be personal or commercial.
It came into effect on 25 May 2018. 
There are a few key steps you should be taking now:
 
  • You need to make sure that decision makers and key people in your organisation are aware that the law is changing. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under GDPR.
  • It would be useful to start looking at your organisation’s risk register, if you have one.
  • Implementing GDPR could have significant resource implications, especially for larger and more complex organisations.
  • You should raise awareness of the changes that are coming and not leave preparations until the last minute.
  • Consider employee awareness training. RWA’s ‘My Development Zone’ is a useful online learning platform with a full GDPR pathway that employees can undertake. 
For more details on the accountability principle and what is required, please visit: ico.org.uk
 
If you would like further support to help you strength test your GDPR compliance then RWA can also assist you with an initial healthcheck and with further high level process implementation support. 
GDPR is a compulsory requirement for any business handling personal data which relates to living EU citizens. To clarify, GDPR documentation refers to ‘personal data’ as being “any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier [email, IP address, mobile device ID, etc.] or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”1
 
Understanding how the GDPR defines ‘personal data’ is vital for every business. For example, a business email address that has a personal name – for example, andrew.linnell@rwagroup.co.uk – meets the definition of personal data, as it has an individual’s name in it. And as such, a business will need to understand on what basis it is processing this data. 
 
Further, how will businesses approach ‘consent’ should an existing client not renew their business? Traditionally, the broker will view this ‘lost’ client as a new prospect for the future. But how will they ensure they have ‘affirmative consent’ to continue to market their services to a client they no longer hold?
 
GDPR is a golden opportunity to review the information you hold and embed solid GDPR policies and procedures. If done correctly, these changes will not only ensure that your business is compliant, but they also have the capacity to deliver commercial gains for your business.