Privacy matters from either end of the binoculars
Standing up for the little guy
ties you are also entitled to be informed.
Responsible data processing
Isaac Newton stated that ‘for every action, there is an equal and opposite reaction’. Applied to our situation, the flipside of the increased consumer rights mentioned above are significantly increased corporate responsibilities. If a customer, employee or service user has the right to know what data you hold on them, your organisation had better know what data you have, where it is located and how to compile it quickly and without too much expense.
Some of the 80 specific new requirements emanating from this legislation also include IT Security obligations. The WannaCry virus, which has been hitting the headlines is an interesting one to consider in the context of GDPR. Whilst it is clearly a sophisticated and dangerous attack, many organisations appear to have been infected due to some pretty basic security weaknesses. Under the GDPR, organisations holding personal data which may have been compromised by a hack or a virus would have just 72 hours to report breaches of this type to the regulator.
Before GDPR, some companies and public bodies perceived the costs of non-compliance with Data Protection laws as tolerable. By comparison, the GDPR has teeth. Particularly eye-catching are the potential size of fines, which can reach the greater of €20m or 4% of global turnover. Given that the regulation is intended to harmonise the EU playing field, there is little scope for an individual EU member state’s Data Protection Authority to take a lenient approach around sanctions. In addition to fines, the new law makes it much easier for consumers to obtain damages from non-compliant organisations.
In summary, it’s clear that those public and private bodies that fail to take a proper interest in privacy may find themselves experiencing some seriously negative consequences.
Approaching a GDPR project
Whilst compliance with the GDPR is no small undertaking, it’s important to appreciate that the regulation merely transforms good business practices into formal requirements, albeit with a big stick to encourage compliance.
Given the tight regulatory timetable, stakeholder awareness initiatives and gap assessment exercises should be at a fairly advanced stage by now. A data inventory, preferably supported by data process flow schematics, is also a critical element to ensure that your plans are comprehensive. Legal, Compliance and IT departments will all need to be involved in designing suitable policies, procedures, systems and measures to support compliance.
Undoubtedly, GDPR projects are likely to be supported by bespoke tools and templates, but it is doubtful that suitably tailored solutions will jump out of a box. Successful GDPR projects will likely have the following features:
Link to business goals – In planning these projects you are likely to be surprised how much personal data is held across the organisation. Rather than applying GDPR rules to what you have in a mechanistic fashion, a smarter approach involves first understanding what personal data is actually needed to achieve organi- sational objectives, focusing on this data and disposing of the rest. A project that places strategy at its heart is more likely to engage management and create joined up thinking.
Cultural transformation – Bearing in mind that privacy processes are only as strong as their weakest links, a challenge that many organisations will face is to go beyond ticking the boxes to transform the organisational culture in favour of personal privacy. A recognition of the cultural risks and a plan to tackle them is crucial.
You may have noticed that the above elements require a credible project team. Make sure that the individuals assigned to your GDPR project have the credentials and gravitas that this important legislation demands. Dominic Fisher is a senior manager in Deloitte Malta’s Risk Advisory Services team and the Vice-President of Malta Association of Risk Management. For more information, please visit www.deloitte.com/mt/risk