With maximum fines of up to 4% of annual global turnover, increased breach notification requirements and additional administrative obligations applying from 25 May 2018, GDPR compliance should, if it is not already, be a top priority on board room agendas.
As if the ICO needed anything else to incentivise data protection compliance, the UK Information Commissioner, Elizabeth Denham, made a recommendation at an appearance before the House of Commons Public Bill Committee that company directors should be held personally liable for data breaches by their companies.
The GDPR contains a number of requirements designed to increase accountability, including: training staff; carrying out audits and privacy impact assessments; implementing privacy by design; and establishing breach notification procedures.
As a first step to being GDPR-ready companies (and their directors) should be able to confidently answer the following:
- What personal data do we hold?
- Where is it?
- What is it being used for?
- How secure is it?
Depending on the nature and size of an organisation, answering these questions could involve significant time and resources. Accordingly, if they have not already done so, boards should start allocating budget for this now. Finding and analysing data, and then ensuring that it is, amongst other things, accurate, up-to-date and only processed for the specified purpose, can take a lot of time.
Given the level of potential fines and reputational harm, a board's failure to ensure protection of personal data may be considered a failure of directors' duties to promote the success of the company, and/or to exercise reasonable care, skill and diligence, which could result in action for damages and/or termination or disqualification.
An internal or external Data Protection Officer (DPO)?
All public sector organisations must appoint a DPO and all private organisations should consider whether they are required to do the same.
The DPO will be responsible for advising the organisation of their obligations and monitoring compliance. They must report directly to the highest level of management and have 'expert knowledge' of data protection.
If an organisation does not already have an internal candidate with this requite skill set that they can appoint as the DPO, the options are to either recruit for a permanent member of staff (bearing in mind that budget and headcount should be allocated now if the DPO is to be on-board by 25 May 2018), or outsource the DPO to an external firm with data protection expertise.
It doesn't have to be bad news
GDPR assessments are already being used by progressive companies to increase the value of their business. The process of reviewing existing data, removing unnecessary data and seeking fresh consents can enable organisations to leverage useful data to capitalise on new business. This will make client or customer contact lists more focussed and effective. Implementing 'privacy by design' will help organisations to identify issues at an early stage, making any remedial actions less intrusive and costly. In addition, demonstrating GDPR compliance should help enhance organisations' public image as consumers and customers will have confidence in how their personal data is being handled.