Organisations are being forced to pay attention to the way they handle data, with the incoming General Data Protection Regulation (GDPR) requiring that businesses demonstrate compliance, come May 2018.
Although there is widespread awareness of the regulation, and firms have begun taking measures to become GDPR ready, there is a lack of information on who, exactly, should be spearheading this movement towards rigorous data protection.
Whilst governing bodies worldwide have enacted different data protection regulations across varying industries, there is no individual or team solely responsible, as GDPR will impact all areas of business.
During a recent webinar, Alan Calder, Founder & Executive Chair of IT Governance, pointed out that GDPR must be applied with the same approach given to health and safety. Accountability starts with the Board, who should ensure the firm is on the corporate risk register, and the Board should nominate responsibility to a Director to apply GDPR.
Sarah Williamson, Partner at law firm, Boyes Turner, adds that all employees should be trained and aware of GDPR and that the Board should determine who in a department will be involved in compliance. “The responsibility can be assigned to one person within each department, or a team depending on the organisation,” she explains. “It varies across each function, the volume of data processing within an organisation and the sensitivity of that data. Some may just need one person in charge, whereas firms that process a lot of personal data will need a much bigger team. Either way, they must be trained. Data protection affects all parts of an organisation and will need to be a regular Board agenda, as well as departmental.”
She adds that those in charge of GDPR across different departments will need regular meetings. In addition, if any new processes or technologies involve the handling of personal data, they might have to undertake a data protection impact assessment.
Not just an IT problem
Insurance giant Aviva’s strategy illustrates this cross-functional responsibility for GDPR. As Boyes Turner’s whitepaper, titled, ‘GDPR: Getting ready for data’s new dawn,’ points out, Aviva have housed dedicated data protection specialists across its business units as well as within risk and compliance teams, and each business unit is required to attest to the standards they are applying and is subject to review by Aviva’s risk and audit team.
The firm also appointed Kevin Willis, to Group Data Privacy Director. Alongside being the General Counsel for Aviva UK Digital, he will report to the GC and increase focus on Aviva’s data protection strategy. He explains the decision: “We wanted a group theme and approach to complement the business unit led GDPR programmes. Having the right governance arrangement sets the tone and direction.”
KPMG have tackled the issue by appointing a Data Protection Officer (DPO), Ian Dunn, a data privacy lawyer within their internal legal team. He will report to the Head of Legal at KPMG’s Office of General Counsel, where also, he will sit. To diffuse GDPR responsibility throughout the business, Dunn tells us they have created a GDPR working group where senior stakeholders will represent their main business functions. They will work together through “regular meetings,” and “will be driven by experienced project management support to ensure the different functions progress with compliance at the same time (i.e. a firm-wide compliance programme).”
What should I consider before appointing a Data Protection Officer?
Not all organisations will be required to appoint a Data Protection Officer (DPO), however, if they do, there is some guidance as to what skills they need. Phil Gorski, Solicitor at Blacks Solicitors, says that a DPO: “should be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices. The precise level of these skills can vary according to the type of data processing that an organisation is carrying out, for example the nature and amount of the data processed. Crucially, a DPO must be independent of other decision-makers in the organisation.”
Therefore, the DPO cannot hold a position within the organisation that leads them to determine the purposes and means of the processing, and must give unbiased advice. A DPO will also be tasked with setting out the accountability framework, which should then extend into a privacy compliance framework.
Where should the role of a DPO sit?
Williamson reiterates that the DPO must “be independent and to advise on compliance, as opposed to determining what an organisation does with personal data and their processing activities. They can be someone within an existing department, providing they can act without that conflict of interest.” The DPO must report to Board level, and as the role is advisory they wouldn’t necessarily sit on a specific department.
Where should I start?
For companies unsure of their preparations, they should carry out a gap analysis, Williamson advises. “Ask yourself, what data do you hold? Where does it go? Who does it relate to? Do people know what to do if the data your organisation holds is at risk? These are issues that can be easily resolved,” she says. Teams should start to map out their data flows now, identifying recipient’s personal data, where it is processed, review existing contracts and the data protection provisions.
This will enable you to determine whether you are a data controller or processor. The ICO states a person is only a data controller if, alone or with others, they “determine the purposes for which and the manner in which any personal data are processed.” Data processors, are any person (other than an employee of the data controller) who processes the data on behalf of the data controller. This means contracts with suppliers and partners who also have access to an organisations personal data, will need to be rewritten.
Boyes Turner advises that a controller must enter into a binding agreement with any processor it engages with, outlining the details of processing. Some firms have already started to rework contracts, inserting GDPR relevant language. New supplier relationships must be checked for compliance, and existing insurance policies must be checked.