Today we are going to take a look at some of the basic policies and procedures that you need to have in place to comply with the new General Data Protection Regulation (GDPR) effective May 2018. I am joined in the exploration by Jonathan Armstrong, a partner at Cordery Compliance in London. GDPR compliance mandates some specific policies and procedures that Armstrong and the Cordery team suggest that you implement at this time for the GDPR go-live date of May 25, 2018.
Armstrong believes there are two key policies to begin your process with going forward. The first should be an internal document you send to all employees which reiterates the basics of data protection which are the simply tactics of being aware, deleting suspicious emails and not opening unknown attachments or attachments from indeterminate sources. This first policy should also inform all employees on their basic duties in response to GDPR. This first communication should be companywide, and you should take steps to make sure that it is communicated throughout the organization with a sufficient level of importance.
Armstrong suggests a second policy which will be much more focused on GDPR compliance so there will also need to be robust procedures created to implement the specific requirements of GDPR. You will need policies on and procedures around the new rights created under GDPR. This includes the Right to Portability, which is an individual’s “right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”.
Armstrong next identified the Subject Access Request (SAR), which allows a person to exercise their right to gain access to data an organization might hold on them. A SAR must be answered within one month of receipt of the request and may be extended for a maximum of two further months when necessary taking into account the complexity of the request and the number of requests. Unfortunately, under GDPR, the ability for a business to ask for a fee for a SAR has been abolished. Here Armstrong noted there has been a significant rise in the number of SARs being made in recent years – when SARs become free on May 25, he anticipates an even greater rise in requests.
Armstrong noted there have been a reported 11 million SAR currently filed in the UK. Think about that number for a minute as there are about 60 million people in the whole of the UK. This means that fully 1/6 of the country’s population has filed a SAR under the current law. They can be charged 10 by the company to whom the request is made. After May 25 there will be no charge and hence no recoupment of costs by those organizations required to comply with the law. He also cited to the example of a UK financial institution which “currently has a delay of nine months in responding to the subject access requests because of the volume of SARS that they have received.” They clearly have not put the resources into complying with the current law as “nine months isn’t defensible under the existing law that will not be defensible and under GDPR as well.” He concluded, “companies are going to have to put in place measures to deal with these requests. And now is not the right time to be doing nothing.”
Moreover, there is no prescribed form for a SAR and this means such a request can come into the company in a variety of manners such as Twitter or even Facebook. An essential part of a company’s future data protection strategy will therefore be putting proper processes in place to deal with SARs. Armstrong conclusion on SARs, “Normally most organizations take at least that to look at their databases. Again because of the need for urgency as a data breach reporting procedure now the mistake that a lot of corporations make is having that process be too long.”
As a final critical policy and procedure, Armstrong noted that one on data breaches is key. Obviously here in the US, most companies have gone out of their way to hide data breaches. Such conduct will be heavily penalized under GDPR. This means that most US companies will now have to completely revamp their protocols to not only ensure that data is secure but also to meet the mandatory reporting of data breaches to both the appropriate the regulator(s) and communication to those individuals who are affected. Cordery has noted, “in this context a personal data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Data breaches will have to be reported, under conditions set out in the new rules including what action has been done to mitigate them, to the relevant data protection regulator without delay and, “where feasible”, not later than 72 hours after a data controller has become aware of the breach – a reasoned justification must be provided where reporting is not made within the 72-hour period.” A communication of a breach to the persons concerned must also be carried out when the “breach is likely to result in a high risk for the rights and freedoms of individuals”, which must be done without “undue delay” (i.e. no time-limit as such has been set).
Armstrong analogized that for most employees your policy should be “a bit like when you stay at a hotel there’s a simple plan on the back of the door that basically says raise the alarm get out of the building. And I think as far as most employees are concerned that’s more or less what you need to tell them you know shut down the system if you can minimize loss immediately and it’s safe to do so. Do it raise the alarm.” However, there should be a more detailed procedure behind your policy and procedure for a data breach applicable to the IT department, the information security team and others in your organization assigned to respond to the data breach.
Policies and procedures for third parties with whom you may be contracting is also important under GDPR. Armstrong noted that you should provide such third parties with guidelines on how you want them to sell your product and you might need to give them some additional materials to help support those sales. For example if you’ve got a cloud based solution or something that’s somewhat technical it’s likely to be a barrier to sales. You should also ask them to perform a Data Protection Impact Assessment for the work they execute for your organization.
I conclude with an inquiry into training. I am big believer in tailored training which focuses on the risk of each employee and delivers to them an appropriate level of training. Under Foreign Corrupt Practices Act (FCPA) training, for most employees I try to get them to leave the training with two key concepts: (1) do not pay bribes and (2) raise your hand if you have a question or if you see something suspicious. Armstrong agreed that such an approach is also appropriate for GDPR training, particularly ‘raising your hand’. He noted, “I think a lot of the breaches that we see the reason for the delay is the person was trying to work out what went wrong or work out whether it’s a problem or not. And I’d say just raise your hand if you think that it looks weak say fishy if you think it looks unusual. Tell somebody about it immediately and I think for organizations they should have in place the equivalent of there ‘are no stupid questions culture’.”
As May 25 nears, you need to put these policies and procedures in place. Your training should also commence as well. I hope you continue to join Jonathan Armstrong and myself as we provide a Countdown to GDPR. For a fuller explanation of policies and procedures, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program. Finally, Jonathan Armstrong will be in Houston on April 10, 2018 to put on a 3-hour workshop on GDPR. The event will be held at the South Texas College of Law, from 9-12 AM. You can find out more information on the event and register by going to the GHBER.org site.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2018