Reflecting on the GDPR landscape
So we have now had GDPR firmly in our minds for two and a half years. More than likely prior to 25 May 2018 all organisations focused on how to become compliant with the new Data Protection Act. The recommendation from the regulator,the ICO, was that this review would include the construction of data maps. Since then I would guess that many gave themselves a tick and moved on to other operational matters.
Organisations needed to consider what personal data they held, be it on staff, suppliers, clients and customers, and in the charity arena, their donors. Where was that data stored; who had access to it; with whom was it shared, and how long would you hold that data? This needed to be included within privacy policies that became public documents. Systems had to be introduced to ensure if an individual queried their data, or made a data access request, the organisation had the capability to act, and within tightly defined time periods. Typically, you would be the data controller, so you needed to know what data processors you use to process your data.
Historically organisations have had time on their side to think about change. Where this related to the personal data held, GDPR made ‘data protection by design and default’ a legal requirement. The key element of this risk-based approach is accountability – your ability to demonstrate how you are complying with its requirements. So, when change was being considered, it was recommended that impact assessments would be undertaken, assessing in the new system how data would remain secure. Where possible someone independent from planning and orchestrating of that proposed change would critically appraise that assessment before it gets implemented. Obviously, evidence of such is recommended and also provides good corporate governance.
Back in March 2020 the previous working environment stopped for many organisations throughout the world. Here in the UK, where possible, staff started working from home; rather than seeing clients and customers, communications went online. Those changes took place in just a matter of days. Gradually such restrictions started to ease. However, as the number of positive COVID-19 tests started to increase, we have seen firebreaks being introduced in Wales, and in England, and a further lockdown. We have no idea of how long these restrictions will remain in place, and all that taking away the impact of Brexit coming into place at the start of next year.
GDPR will remain in place – quite rightly so, it provides organisations with credibility in helping all of us. Yes, that does come with the cost of compliance. However, if this is not monitored and controlled it can destroy the whole reputation of an organisation, be it a commercial operation or that of a charity, as well as possible fines from the ICO.
Questions to ask yourself; are those data maps still accurate? Where is that personal data stored – hard copy records are not always kept in the office, but at peoples homes. Electronically stored data is held where? Who has access to it? Who could it be shared with? Where is that server located?
Organisations are looking at making the processing of data as easy as possible, especially if staff are going to be working from home. However in advance of introducing a new piece of software do look at the providers privacy statements and that relating to GDPR – can they use or share data you put on that platform with third parties; where is their server located (do note if that server is based outside of the EEA, you have the legal duty to notify individuals who’s data you tend to leave the EEA before you do so); what is their retention policy.
One further area for careful assessment is how does the organisation communicate that personal data. As face to face meetings decline, there has been a move towards video conferencing platforms. In the initial lockdown, media told us of stories of troublemakers bombing online school lessons. Whilst many of those platforms improved their security with two factor authentication and the like, your organisation must assess how safe the conferencing site you use is. This will be a risk-based assessment, and dependent on the confidentiality of the personal data discussed, be it sensitive data or discussing personal health information on a client. That assessment should also keep in mind with all the cybercrimes taking place, including the use of ransomware.
Organisations can not rely on hindsight; ‘oh I didn’t know colleagues were doing that….’ Is not a satisfactory reply. Instead organisations need to plan ahead, assess and monitor – keeping those data maps being real live documents is essential in ensuring you know where that personal data is, and putting GDPR on agendas of change within your organisation.
Subscribe to our newsletters
Our complimentary newsletters and event invitations are designed to provide you with regular updates, insight and guidance.
You can unsubscribe from our email communications at any time by emailing [email protected] or by clicking the 'unsubscribe' link found on all our email newsletters and event invitations.