Most organisations have embarked on some form or another of GDPR compliance readiness project since the new legislation came into force in May 2018. The specialist GRC team at Net Defence includes GDPR Consultants and has been engaged across a vast number of businesses and charities helping them assess their own efforts. Recent GDPR Gap Analysis findings have brought to light some regular oversights;
Board agendas no longer featuring GDPR
Many organisations think the work they did in preparation for the GDPR legislation coming into force was the only aspect the board needed to be involved with. Many appear to now ‘leave it with’ Marketing and or IT teams. The legislation is continually being challenged and is evolving. Robust compliance requires due process which in turn requires regular testing. The most resilient companies have structured GDPR teams from across their business and plan, conduct and review business continuity testing focused on GDPR breach on a regular basis. They routinely review the most recent Enforcement Action taken by the ICO and have regular Director and Staff education scheduled for the next 12 months minimum.
Thinking that you don’t need a DPO
It is not mandatory in all cases to appoint a DPO, although it is recommended. The ICO states “The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, if your organisation’s core activity requires you to regularly or systematically monitor individuals (e.g. CCTV) on a large scale, or you process large scale of special category or criminal convictions or offence data.” Processing information includes, everything that your entity does with the data including receipt, collection, storing, amending, disclosure and destruction. Workshop based education for your DPO and running a regular health check, and or retained consultancy support are all effective solutions.
Thinking previous consultancy support means you are not liable for breach
A surprising number of organisations have elected to appoint consultants or lawyers to advise on their approach to GDPR assuming that post the legislation going live, that the consultant or legal team appointed are liable on behalf of the company regarding any breach. This is an ‘urban myth’. Company Directors can be held personally liable under changes to Directors responsibilities. Company Directors should be made aware and as mentioned above regular testing and updating is required across the company. In addition, some clients that the Net Defence Team have attended to, have discovered the previous consultants the client engaged were not highly skilled in GDPR and have left the client exposed to risk. A GDPR Gap Analysis has been the key tool to help quickly identify and address remedying this.
Deleting the e-marketing database
A growing number of companies are electing to delete their e-marketing database in the vein hope this ‘covers them for GDPR’. Again this is an ‘urban myth’. As noted above about processing, including amending and destruction, mismanaged handling of this can actually increase risk of breaching GDPR. GDPR involves so much more than marketing databases; staff records, Director records, supplier records, contractor records and more. It affects social media, digital files and hard copy files on business or home premises. Processes and communications internally as well as externally. A GDPR Gap Analysis can identify risk areas quickly and address remedying this.
Buying software to make you GDPR compliant
Some software applications can support developing GDPR protection through process and automated reporting. However, no single software application can make any organisation complaint. The risk for GDPR breach through lack of due process, human error and no digital systems remains high. Again, a GDPR Gap Analysis will enable you to find out risk and non compliance in respect of your organisation.
In summary, the way in which companies have approached GDPR is vast and wide ranging, from full external consultancy and legal advice, down to one member of the team attending a seminar and attempting to achieve readiness themselves. It is therefore no surprise a few months in to this new legislation that so many are still at high risk of breach. There are a number of opportunists who are cashing in on fear too so be sure to identify a trusted reportable firm for support. You can read more about our own Trusted Partner status with the SBRC here.
Top Tips for GDPR compliance from Net Defence
Design business continuity plans that feature GDPR breach and data loss
Schedule regular data loss and breach testing (crisis simulation)
Train Directors on their current liabilities
Regularly train staff on GDPR process and understanding
Engage a trusted supplier for a GDPR Gap Analysis
Be mindful that no organisation is ‘GDPR compliant’. GDPR requires ongoing processes, testing, training and reporting to ensure that your risk from GDPR breach is minimised. If you would like help to achieve this you can contact our GRC Team at Net Defence for support. You can read more about our services here.
“GDPR is a vast piece of legislation which grants people living in Europe new powers over the data being collected about them—like the right to access or delete their own data, and the need for their consent to use it.
But, as we’ve seen time and time before, the new rules have been left deliberately vague, forcing corporates and startups alike to invest in (expensive) legal experts to interpret what GDPR means for them.”
“ Big British firms have now sunk a combined $1.1 billion preparing for GDPR , according to estimates compiled by the International Association of Privacy Professionals (IAPP) and EY.”