top of page
Search

Still not GDPR compliant? You're not alone.

  • FOCAI
  • Mar 2, 2020
  • 8 min read

Updated: May 3, 2020

At least a third of European businesses fail to meet GDPR requirements according to a report, but it's likely to be much more!

If you’re unsure whether your business is compliant with GDPR, then you’re not alone. According to a recent survey by RSM, a leading global network of audit, tax and consulting firms, only 57% of businesses are confident that their business fully comply with GDPR, 13% remain unsure, leaving 30% admitting to not meeting the requirements.



Confused about how to achieve compliance?


That this report is produced over a year after the regulation came into force in May 2018 (the regulation was approved in April 2016 and official texts available in May 2016) indicates that, despite having 3 years to prepare and with severe penalties for non-compliance, over 40% of companies are still confused about how to achieve compliance.

Penalties for non-compliance are up to €20M or 4% annual global turnover – whichever is higher!

Of the non-compliant businesses:


38% did not know when consent is required.

'Consent' is only one of the 6 lawful bases for processing personal data, the others being 'contract', 'legal obligation', 'vital interests', 'public tasks' and 'legitimate interests'.


You don't need to ask for consent if other lawful bases are valid such as when:

  • You're performing a core service (contract)

  • You're required by law to process personal data (legal obligation)

  • You're processing personal data to the benefit of your company or others in a reasonable manner, with minimal risk and impact on the data subjects (legitimate interests)

However you should ask for consent when, for example:

  • Using tracking/advertising cookies

  • Sending marketing marketing emails/newsletters

  • Sharing personal data with others for commercial purposes


35% unsure how to monitor their employees’ use of personal data

Monitoring in the workplace touches on a number of legal areas, not limited to data protection, which may include human rights, employee rights, a need for compliance with wider fields of protection around communications including emails and so on. A legitimate interest of your business in relation to achieving and maintaining compliance with GDPR includes the detection and prevention of loss of personal data such as customer data. However companies must be careful in their choice and implementation of technologies which could be used to monitor their employees' use of personal data, as there is a risk that some technologies can capture more data which would pose a higher risk for the employee e.g. keylogging software and continuous monitoring of all employee activity. Combined with training and policies such as an acceptable use policy, technologies which focus more on data and captures general anonymised information such as those featuring data loss prevention functionality, or endpoint detection and response (EDR) which combines endpoint device protection with anonymised behavioural analysis, can help to to alert of anomalies and possible data breaches.

34% unclear on how to ensure supplier contracts are compliant.

Third party supplier contracts are important to consider for GDPR when they involve personal data e.g. if you use a SaaS solution for HR, CRM etc; if you outsource a function to a third party and this involves sharing personal data such as using an external payroll service; or if information is shared with you by a third party which contains personal data.


GDPR sets out specific requirements for third party contracts, seeking to have a clear understanding of roles between the parties within the contract (data controller or data processor or both) and subsequent responsibilities and liabilities. Having a compliant contract is especially important if a third party supplier fails to meet its obligations under the GDPR, such as if they experience a data breach. The supplier may then be liable to pay damages or other fines, whilst you will still have to let your data subjects know what happened.


Contracts must be clear about:

  • the subject matter and duration of the processing;

  • the nature and purpose of the processing;

  • the type of personal data and categories of data subject; and

  • the controller’s obligations and rights.

Contracts must also include specific terms or clauses regarding:

  • processing only on the controller’s documented instructions;

  • the duty of confidence;

  • appropriate security measures;

  • using sub-processors;

  • data subjects’ rights;

  • assisting the controller;

  • end-of-contract provisions; and

  • audits and inspections.

GDPR delivers a clear message to businesses regarding third-party suppliers – choose them carefully, draw up robust contracts and ensure they take GDPR compliance seriously.



Is your data secure?


Having sufficient protection in place for personal data your business holds is a core component of GDPR. Article 5(1)(f) concerns the ‘integrity and confidentiality’ of personal data. It says that personal data should be:

'processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures'

This means that your business must have appropriate security to prevent the personal data that it holds being accidentally or deliberately compromised. Yet shockingly:

21% did not have a cyber security strategy.

To counter the evolving cyber threat they face today, businesses must ensure they have an integrated approach to cyber security - a cyber security strategy - tailored to their particular business and risk profile, addressing not only the technical aspects of their defence, but also the people and organisational elements required to ensure the confidentiality, integrity and availability of their information.


Although it may seem counter intuitive when drawing up a cyber security strategy, businesses should actually plan for when attacks will breach their defences. How much impact is too much and how much is bearable? By taking a risk-management approach, comparing the likelihood of specific threats and their relative impact, your business' risk-profile can be established. Couple this with a gap analysis to identify whether your defence mechanisms are sufficient to protect you to this level of 'acceptable risk' and you'll be able to see the areas which you need to strengthen - whether this is in the area of prevention, detection and response, or recovery of a breach.


GDPR is actually good for your business!

Whilst it may at first have seemed like even more regulation for your business to get your head around and to comply with, the GDPR is a good thing. It's a milestone that converges the needs of modern cybersecurity with what were in some cases laws that were decades old and clearly written for different world such as the UK's 1984 "Data Protection Act" for example.


At a time when the threat to privacy, from both hackers and large corporations has never been greater, a business that proactively strives to achieve and maintain compliance - and subsequently has better cybersecurity and data hygiene - will promote greater trust and loyalty from their customers and partners alike.

 

Steps to achieve GDPR compliance


1. Where does Personal Data exist? Evaluate and document your data flows and identify any which involves the processing of personal data.

  • Processing is defined as any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption/ alteration, retrieval, consultation, use, disclosure by transmission, dissemination/ making available, alignment/combination, restriction, erasure/destruction.

  • Regardless of how many data sources and technologies, whether the data is structured or unstructured, in motion or at rest, your business has to prove that it knows where personal data is and where it isn’t. 


2. What Personal Data exists? Identify and classify what types of personal data your business holds.

  • Personal data means any information relating to an identified or identifiable natural person (‘data subject’).

  • An identifiable natural person is someone who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

  • Special category data reveals information about a person’s: racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data (where used for identification purposes), sex life and sexual orientation. Note: Personal data about criminal allegations, proceedings or convictions is treated separately.


3. Why do you have this Personal Data? Identify lawful basis for the personal data you hold.

There are 6 lawful bases for processing and these are set out in Article 6(1). At least one of these must apply whenever you process personal data:

  • Consent: the data subject has given clear consent for you to process their personal data for one or more specific purposes;

  • Contract: processing is necessary for a contract you have with the data subject, or because they have asked you to take specific steps before entering into a contract;

  • Legal obligation: processing is necessary for you to comply with the law (not including contractual obligations);

  • Vital interests: processing is necessary to protect someone’s life;

  • Public task: processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law;

  • Legitimate interests: processing is necessary for your legitimate interests (or those of a third party) unless there is a good reason to protect the data subject's personal data which overrides those legitimate interests such as where the data subject is a child;

If like many businesses consent is your lawful basis for processing someone's personal data, then you must keep clear records to demonstrate consent including making sure that any indication of consent is unambiguous and involves a clear affirmative action (an opt-in). GDPR specifically bans pre-ticked opt-in boxes and also requires distinct consent options for distinct processing operations.


Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service. Any existing consent as well as mechanisms for consent need to be reviewed for compliance, and fresh consent obtained if required.


4. How are you securing this Personal Data? Identify what measures you have in place to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

  • Identify and evaluate the measures in place to secure the personal data. Does the company’s security posture provide sufficient protection?

  • Perform gap-analysis and security testing to identify any vulnerabilities.

  • Put into action your plan to mitigate threats, patch vulnerabilities and strengthen effective security. Be aware of timelines and the risk to data subjects while vulnerabilities exist and carry out testing again to ensure that the vulnerabilities no longer remain and that no new vulnerabilties were introduced. 


5. Who is responsible for managing Data Protection in your organisation? Accountability is one of the data protection principles. It means you are responsible for complying with GDPR and and demonstrating compliance.

Organisational measures (as well as the technical measures) are required to be in place to meet the accountability requirements of GDPR:

  • Adopt and implement data protection policies;

  • Take a ‘data protection by design and default’ approach;

  • Ensure you have written contracts in place with organisations that process personal data on your behalf;

  • Document activities involving processing of personal data and perform data protection impact assessments where processing of personal data is likely to result in high risk to the interests of the data subject;

  • Appoint a data protection officer;

  • Train staff on data protection and adhere to relevant codes of conduct;

  • Have processes in place to deal with requests from data subjects;

  • Sign up to certification schemes;

  • Record and, where necessary, report breaches of personal data.


6. How are you demonstrating ongoing commitment to data protection and compliance with GDPR?

  • Prove that you are regularly auditing and checking to make sure you remain compliant.

  • Continuous security awareness and data protection training reinforces best practice security and data protection behaviours.

  • Demonstrate effective incident response by regularly practicing what to do in the event of a suspected breach, starting with detection mechanisms and a clear reporting process as well as having a well practised incident response team.

  • Maintain and update documentation in a timely manner, being sure to communicate to the relevant parties as required.

STRATEGY CONSULTING & TRANSFORMATION

FOCAI helps businesses reach the next level with technology-, cybersecurity-, and business growth strategies, blending next generation solutions with insight and action - so that you can focus on what really matters.

FOCAI © 2024

  • LinkedIn
  • Instagram
bottom of page