The Malta Independent on Sunday
GDPR compliance monitoring – our journey begins…
In the final days leading up to the introduction of the regulation, we have witnessed a significant rise in privacy-related breaches. The most prominent among those is the now infamous Cambridge Analytica, in which the parent company, SCL Elections Ltd, a
Although employees of the firm were aware of the possible ramifications when the news of what happened broke out, most of them did not think that it would lead to this. When you consider what happened here, and the fact that the regulation had not yet been introduced, you can maybe start to appreciate the influence that such a regulation has, directly or indirectly, brought with it, together with the need for us to start taking privacy a little more seriously.
Although this may sound alarming to some, I do believe that as long as one has pre-emptively prepared oneself to be GDPR compliant (given that this has been done correctly), then all should be fine. Having said this, I see it as the beginning, not an end of a journey. Like any other system of compliance, the GDPR is a continuous process, not a goal. Now that the regulation is finally upon us, the biggest challenge has yet to come, that is to ensure that all of us remain compliant with the regulation.
So, you might ask, how do I remain compliant? The following are key interlinked areas to focus on to ensure that the organisation remains that way. These are:
Records of Processing Activities
Recent guidelines issued by the Information and Data Protection Commissioner (IDPC) to regulated industries such as Banking and iGaming have highlighted the requirement that, such licensees should have in place records of their data processing activities. In fact, this is something that most businesses should have in place by now. Although Article 30 of the GDPR highlights conditions when such data inventories need to be carried out such as companies employing 250 employees, a point that I would like to highlight in this regard is that record keeping should not be limited only to regulated businesses or businesses of a certain size. Why is this you ask? It is obviously good practice for any organisation, big or small, to understand privacy-related risks affecting their business environment.
Let’s take a scenario where you do not have records of data processing activities within your organisation. Do you feel comfortable that there are technical security measures within the organisation’s systems in place to ensure that the personal data is kept safe and secure? Do you feel comfortable that in the event of a data breach, the relevant supervisory authority and affected data subjects will be informed within the stipulated 72hour time frame? An inventory of processing activities in place, which is continuously being kept up to date, would enable the organisation to know its current privacy posture and assist it in addressing these kinds of situations.
Data Protection Officer (DPO)
Taking into considering that several organisations require a DPO (see Article 37), his main task (highlighted in Article 39) is to monitor compliance with the Regulation. To do so, the DPO must ensure that:
Records of processing activities remain updated: Having just discussed this requirement, the DPO has a critical task given the ever-increasing threat landscape. This would generally need to be performed by the DPO together with the department representatives, preferably designated Privacy Stewards who verify the correct use of the personal data and report back to the DPO. This would enable the record of processing activity to remain up to date as discussed earlier.
Raising staff awareness: every security expert will tell you that when employees are not trained in identifying threats, they are considered to be the weakest link in the security chain. Malicious actors will, therefore, try to exploit this vulnerability through measures such as social engineering. It is therefore imperative for the DPO to ensure that meaningful and relevant training (i.e. based on the role of the employees) in privacy is given on a regular basis.
Privacy Related Assessments: continuing to ensure compliance requires constant monitoring. Apart from the requirement of Article 30, the DPO is responsible for carrying out Data Privacy Impact Assessments (DPIA). The DPIA is a tool that is part of the privacy by design approach that can be used to identify and reduce privacy risks. More specifically, risks that may cause harm to individuals through the misuse of personal information.
Privacy Notice and Policy
Some of you may have noticed the barrage of e-mails from other vendors to whom you or your company may have previously subscribed to. The key principle here is that of accountability. Article 5(2) of the regulation establishes that a data controller “must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject.” Gone are the days, hopefully, were organisations would process data without a legal basis. Now, organisations have to be open about this and publish this information in their privacy notice (in the case the data subject is a customer) or privacy policy (in the case the data subject is an employee). Any changes to the Records of Processing Activities should be reflected in the Privacy Notice and Privacy Policy. Therefore, similar to the Records of Processing Activities, keeping the Privacy Notice / Policy updated is imperative.
To conclude, compliance can only be achieved by: • demonstrating good faith to data subjects and to the supervisory authority • making sure that there are proper records of processing activities, • being transparent about the
things one does and • having personnel qualified to manage privacy requests These are all measures that can help organisations stay away from harsh penalties.