There is now less than 12 months until GDPR D-Day. The 25th May 2018 will usher in a new, more robust personal data protection regime applicable to businesses across the globe who process personally identifiable information about EU residents. It will also act as the starters gun for Data Protection Authorities across Europe to start issuing fines against those organisations who’ve failed to get their act together during the preceding two-year grace period.
The fines for a GDPR breach of 20 million euro or 4% of global turnover have been widely documented. This has been further strengthened with recent analysis from global management consultancy Oliver Wyman, that found FTSE 100 companies could face fines of up to £5 billion a year if they don’t comply with the new regulation.
GDPR goes beyond the realms of merely ticking the boxes and hoping for the best. It is imperative that every business gets this right, and the key to this is accountability.
The need for accountability in data privacy can be traced back to 1980 in the privacy guidelines then issued by the Economic Cooperation and Development (OECD) that described accountability as “showing how responsibility is exercised and making it verifiable.” This definition also lends itself to how GDPR will be in practice. GDPR seeks to strengthen the responsibility of data controllers and data processors in relation to processing of personal data.
Accountability Underpins GDPR Rollout
The European Data Protection Supervisor (EDPS), in their Accountability Fact Sheet, state that accountability in personal data processing requires:
- Transparent internal data protection policies, approved and endorsed by the highest level of the organisation’s management
- Informing and training all people in the organisation on how to implement the policies
- Responsibility at the highest level for monitoring the policy implementation, assessing and demonstrating to external stakeholders and data protection authorities the quality of the implementation
- Procedures for redressing poor compliance and data breaches.
Although the word accountability appears seldom in the GDPR, the core concept of accountability underpins the entirety of the GDPR.
- Article 5: identifies the Data Controller as being responsible for ensuring compliance with the principles in GDPR surrounding personal data processing. In addition to ensuring compliance with GDPR principles, the data controller must be able to prove it by having in place adequate records of all data processing operations and make sure such records are being kept up to date. This will in practice require that specific resources are assigned to ensure regular updates and follow-up of those records.
- Article 24: states that the Data Controller should implement, review and update technical and organisational measures (i.e. policies and procedures) to show that processing operations are carried out in line with the new GDPR rules.
- Article 30: states that each controller and processor and, where applicable, their representative, shall maintain a record of processing activities under its responsibility.
- Article 39: states that the organisation must monitor compliance with the regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
GDPR compliance will be an evolving process for every business, as more information is shared, stored, processed, more policies and procedures will need to be updated and created on a regular basis. It is up to businesses to build a framework upon which a culture of privacy can be established. This means real change to the culture of an organisation. Accountability isn’t something that can be an afterthought of your GDPR preparation, rather it needs to be at the core of your GDPR plan now, in May 2018 and forever more.
GDPR fines won’t just happen when a huge cyber-attack or event happens, they could just as easily be triggered because of a complaint made by a disgruntled customer. If it then becomes evident to the investigating Data Protection Authority that you aren’t taking your accountability obligations seriously, a large fine could then follow.
GDPR requires organisations to be compliant with the new regulation, but it also offers the opportunity to be enhance your business by committing to the ethical use of personal data. You can use this onus on accountability to present your organisation as a bastion of individual privacy rights which can play an integral part in whether someone chooses your company over a competitor.
The time to act on GDPR is now. It’s also important to remember that any plan you put in place must have accountability as a core component. This enables you to be compliant on May 2018, future proof your organisation for years to come and reduce the likelihood of your organisation being made an example of by a trigger-happy Data Protection Authority.