In this episode of Countdown to GDPR, Jonathan Armstrong, a partner at Cordery Compliance in London and I consider the roles of vendors in GDPR. These roles are both in complying with GDPR and substantively following the regulation itself. The first area is a vendor which is a subject matter expert in the areas of data protection and data privacy.

Armstrong discussed an actual advertisement where a company claimed to be a ‘GDBR’ expert. Leaving aside the copy editing FUBAR, the ad also cited regulatory requirements from preliminary drafts of GDPR which were superseded by the final version of the legislation. He stated, “there’s still the difficult thing that corporations out there that are struggling but there are snake oil salesmen who are trying to prey on them and sell them projects that they don’t need and not sell them projects that they do need. There is definitely a skills gap. And obviously as we get closer to GDP that gets all the more worrying.”

Beyond this problem of technical competence, vendors present another set of risks under GDPR. Many organizations with literally worldwide operations are concerned with their potential liability for their vendors in the United Kingdom in the EU or in countries under GDPR.  Armstrong noted that the initial inquiry a company should make is who is the data controller and who is the data processor. Under the old rules, data controller was the corporation and the data processors were the vendor. With days of cloud computing and software as a service (SaaS) these lines are more blurred. He noted “as a very general rule the corporation remains liable for everything that it does even if it uses a vendor to process data on its behalf or to manage part of the service.”

GDPR will require a more robust third-party risk management process for vendors. Armstrong explained, “when you are bringing vendors onboard you need to go through a proper process to do due diligence on them. “There are some warning signs to start off with, such as if a vendor says I understand all about GDPR and then talks to you about PPI you should show them the door.”

He went on to add, “If they say you can’t have any audit rights. Show them the door. If they say we will not commit to telling you about data breaches within 72 hours. Show them the door. There are various minimum requirements that a vendor has to meet under GDPR and if they don’t, find somebody else.” But simply performing background due diligence is not enough.

You should have an appropriate set of contract terms and conditions around GDPR compliance in your agreement with them.  There should also be “some sort of attestation about what they’re doing particularly” around continued GDPR compliance. If certainly would want to know where the data is going to be hosted and if there are ISO 27000 certificates in place for the data centers. Finally, the management of this risk must continue throughout the life-cycle of the third-party relationship with the customer.

 

In this episode, we take up a key element in the upcoming General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018, that being the issue of the Data Protection Impact Assessment (DPIA). As always, I am joined in this exploration by Jonathan Armstrong, partner at the Cordery firm London. The UK Data Protection Regulator, the Information Commissioner’s Office (ICO), recently published new draft guidance on conducting DPIAs, entitled “Consultation: GDPR DPIA guidance”(Consultative Guidance).

A DPIA is mandatory in some cases under GDPR. At its simplest, it is a way of assessing data protection risk in any process that involves personal data. A good DPIA process will enable you to identify exactly what you are planning to do with personal data, what the risks are and how you are going to address them. The Consultative Guidance, notes your DPIA “should describe the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.” There are consultation obligations as part of the DPIA process including, in some cases, the obligation to show your DPIA to a Data Protection Authority (DPA) and seek prior approval.

For more information, check out Cordery’s great GDPR resource, GDPR Navigator. 

Finally, if you are in Houston on April 10, the Greater Houston Business and Ethics Roundtable is hosting Jonathan Armstrong for a ½ half day GDPR workshop, entitled “Are You Ready for GDPR?”. For information and registration, click here.

In our continuing countdown to GDPR, we take up a key element in the upcoming General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018, that being the issue of the Data Protection Impact Assessment (DPIA). As always, I am joined in this exploration by Jonathan Armstrong, partner at the Cordery firm London. The UK Data Protection Regulator, the Information Commissioner’s Office (ICO), recently published new draft guidance on conducting DPIAs, entitled “Consultation: GDPR DPIA guidance”(Consultative Guidance).

A DPIA is mandatory in some cases under GDPR. At its simplest, it is a way of assessing data protection risk in any process that involves personal data. A good DPIA process will enable you to identify exactly what you are planning to do with personal data, what the risks are and how you are going to address them. The Consultative Guidance, notes your DPIA “should describe the nature, scope, context and purposes of the processing; assess necessity, proportionality and compliance measures; identify and assess risks to individuals; and identify any additional measures to mitigate those risks.” There are consultation obligations as part of the DPIA process including, in some cases, the obligation to show your DPIA to a Data Protection Authority (DPA) and seek prior approval. Armstrong view DPIAs as a key element of any GDPR plan and “done well a DPIA can reduce data protection risk but also reduce risk across the board.”

The ICO also notes, “DPIAs are an essential part of your accountability obligations. Conducting a DPIA is a legal requirement for any type of processing that is likely to result in high risk (including certain specified types of processing). Failing to carry out a DPIA in these cases may leave you open to enforcement action, including a fine of up to €10 million, or 2% global annual turnover if higher.” While DPIAs bring greater compliance benefits as they can be an effective mechanism to assess and demonstrate your compliance with all data protection principles and obligations; the ICO cautions “DPIAs are not just a compliance exercise. An effective DPIA allows you to identify and fix problems at an early stage, bringing broader benefits for both individuals and your organisation.”

The key thing to remember about DPIAs is they are essentially risk assessments and that should not scare anyone. As such, whenever you are doing something new; whether that be a process, new business venture partner or using a new vendor, you should consider this risk from the data protection perspective through a DPIA. You can use the DPIA to help design a risk mitigation strategy for your data protection risks. Unfortunately, Armstrong has found that many compliance practitioners and even Data Protection Officers (DPOs) are afraid of them “and I think many people are putting them into the bottom of their desks, when really they should now be at the top.” DPIAs are a significant way of reducing risk in a business, and can also reduce your legal exposure, thereby reducing your risk you reduce your potential for fines suspension of transfers civil actions.

I asked Armstrong if he might provide an example and he gave one which I found instructive as DPIAs must consider both the likelihood and the severity of any impact on individuals and as well corporations subject to GDPR. He said, “I might say that I’m going to do that as a benefit for the corporation to help secure data which in and of itself helps an entity comply with GDPR. Obviously, there is a benefit to individuals because they might have some of their data on those laptops for work at home and it might be better for work life balance if I identify risks that employees with the device might incur outside of working hours.” He then added, “I might identify a risk that employees will be worried that they’re being tracked because they carry the device with them and I can mitigate those risks down by looking at technologies like geo-fencing rather than geo-location.”

Indeed, the UK Data Protection Regulator, the ICO, has said of the DPIA, “You should not view a DPIA as a one-off exercise to file away. A DPIA is a ‘living’ process to help you manage and review the risks of the processing and the measures you’ve put in place on an ongoing basis. You need to keep it under review and reassess if anything changes. In particular, if you make any significant changes to how or why you process personal data, or to the amount of data you collect, you need to show that your DPIA assesses any new risks. An external change to the wider context of the processing should also prompt you to review your DPIA. For example, if a new security flaw is identified, new technology is made available, or a new public concern is raised over the type of processing you do or the vulnerability of a particular group of data subjects.”

Armstrong said ideally a company would “start at the beginning with their data or with a third- party relationship” in performing a DPIA. However, recognizing the difficulty in this approach, Armstrong noted, “it isn’t mandatory to do the DPIA on existing processes. If your process changes then you should do a DPIA. For example, if your tracking laptops with a Vendor A and under existing process you do that already but you then switch to Vendor B; at that point you probably need to perform a DPIA. This is because the change in vendors is really a change in the whole process not just a change of vendor so an existing process changes.”

Through the use of DPIAs a company can reassure individuals it is protecting their interests and has reduced any negative impact on them as much as they can. Conducting and publishing a DPIA can also improve transparency and make it easier for individuals to understand how and why you are using their information. This could lead to additional benefits for your company’s reputation and your relationships with both your employees and your customers. Conducting a DPIA can help you to build trust and engagement with the people using your services, and improve your understanding of their needs, concerns and expectations.

Facebook, are you listening?

To learn more, check the podcast series Countdown to GDPR-Episode 4, by clicking here. 

For more information, check out Cordery’s great GDPR resource, GDPR Navigator. 

Finally, if you are in Houston on April 10, the Greater Houston Business and Ethics Roundtable is hosting Jonathan Armstrong for a ½ half day GDPR workshop, entitled “Are You Ready for GDPR?”. For information and registration, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

In this episode we explore the basic policies and procedures that you need to have in place to comply with the General Data Protection Regulation (GDPR). I am joined in the exploration by Jonathan Armstrong, a partner at Cordery Compliance in London. GDPR compliance mandates some specific policies and procedures that Jonathan Armstrong and the team at Cordery Compliance in London suggest that you put in place at this time for the GDPR go-live date of May 25, 2018.

Armstrong believes there are two key policies to begin your process with going forward. The first should be an internal document you send to all employees which reiterates the basics of data protection which are the simply tactics of being aware, deleting suspicious emails and not opening unknown attachments or attachments from indeterminate sources. This first policy should also inform all employees on their basic duties in response to GDPR. This first communication should be companywide, and you should take steps to make sure that it is communicated throughout the organization with a sufficient level of importance.

Armstrong suggests a second policy which will be much more focused on GDPR compliance so there will also need to be robust procedures created to implement the specific requirements of GDPR. You will need policies on and procedures around the new rights created under GDPR.

As May 25 nears, you need to put these policies and procedures in place. Your training should also commence as well. I hope you continue to join Jonathan Armstrong and myself as we provide a Countdown to GDPR. For a fuller explanation of policies and procedures, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program. Finally, Jonathan Armstrong will be in Houston on April 10, 2018 to put on a 3-hour workshop on GDPR. The event will be held at the South Texas College of Law, from 9-12 AM. You can find out more information on the event and register by going to the GHBER.org site.

Today we are going to take a look at some of the basic policies and procedures that you need to have in place to comply with the new General Data Protection Regulation (GDPR) effective May 2018. I am joined in the exploration by Jonathan Armstrong, a partner at Cordery Compliance in London. GDPR compliance mandates some specific policies and procedures that Armstrong and the Cordery team suggest that you implement at this time for the GDPR go-live date of May 25, 2018.

Armstrong believes there are two key policies to begin your process with going forward. The first should be an internal document you send to all employees which reiterates the basics of data protection which are the simply tactics of being aware, deleting suspicious emails and not opening unknown attachments or attachments from indeterminate sources. This first policy should also inform all employees on their basic duties in response to GDPR. This first communication should be companywide, and you should take steps to make sure that it is communicated throughout the organization with a sufficient level of importance.

Armstrong suggests a second policy which will be much more focused on GDPR compliance so there will also need to be robust procedures created to implement the specific requirements of GDPR. You will need policies on and procedures around the new rights created under GDPR. This includes the Right to Portability, which is an individual’s “right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”.

Armstrong next identified the Subject Access Request (SAR), which allows a person to exercise their right to gain access to data an organization might hold on them. A SAR must be answered within one month of receipt of the request and may be extended for a maximum of two further months when necessary taking into account the complexity of the request and the number of requests. Unfortunately, under GDPR, the ability for a business to ask for a fee for a SAR has been abolished. Here Armstrong noted there has been a significant rise in the number of SARs being made in recent years – when SARs become free on May 25, he anticipates an even greater rise in requests.

Armstrong noted there have been a reported 11 million SAR currently filed in the UK. Think about that number for a minute as there are about 60 million people in the whole of the UK. This means that fully 1/6 of the country’s population has filed a SAR under the current law. They can be charged 10 by the company to whom the request is made. After May 25 there will be no charge and hence no recoupment of costs by those organizations required to comply with the law. He also cited to the example of a UK financial institution which “currently has a delay of nine months in responding to the subject access requests because of the volume of SARS that they have received.” They clearly have not put the resources into complying with the current law as “nine months isn’t defensible under the existing law that will not be defensible and under GDPR as well.” He concluded, “companies are going to have to put in place measures to deal with these requests. And now is not the right time to be doing nothing.”

Moreover, there is no prescribed form for a SAR and this means such a request can come into the company in a variety of manners such as Twitter or even Facebook. An essential part of a company’s future data protection strategy will therefore be putting proper processes in place to deal with SARs. Armstrong conclusion on SARs, “Normally most organizations take at least that to look at their databases. Again because of the need for urgency as a data breach reporting procedure now the mistake that a lot of corporations make is having that process be too long.”

As a final critical policy and procedure, Armstrong noted that one on data breaches is key. Obviously here in the US, most companies have gone out of their way to hide data breaches. Such conduct will be heavily penalized under GDPR. This means that most US companies will now have to completely revamp their protocols to not only ensure that data is secure but also to meet the mandatory reporting of data breaches to both the appropriate the regulator(s) and communication to those individuals who are affected. Cordery has noted, “in this context a personal data breach means “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Data breaches will have to be reported, under conditions set out in the new rules including what action has been done to mitigate them, to the relevant data protection regulator without delay and, “where feasible”, not later than 72 hours after a data controller has become aware of the breach – a reasoned justification must be provided where reporting is not made within the 72-hour period.” A communication of a breach to the persons concerned must also be carried out when the “breach is likely to result in a high risk for the rights and freedoms of individuals”, which must be done without “undue delay” (i.e. no time-limit as such has been set).

Armstrong analogized that for most employees your policy should be “a bit like when you stay at a hotel there’s a simple plan on the back of the door that basically says raise the alarm get out of the building. And I think as far as most employees are concerned that’s more or less what you need to tell them you know shut down the system if you can minimize loss immediately and it’s safe to do so. Do it raise the alarm.” However, there should be a more detailed procedure behind your policy and procedure for a data breach applicable to the IT department, the information security team and others in your organization assigned to respond to the data breach.

Policies and procedures for third parties with whom you may be contracting is also important under GDPR. Armstrong noted that you should provide such third parties with guidelines on how you want them to sell your product and you might need to give them some additional materials to help support those sales. For example if you’ve got a cloud based solution or something that’s somewhat technical it’s likely to be a barrier to sales. You should also ask them to perform a Data Protection Impact Assessment for the work they execute for your organization.

I conclude with an inquiry into training. I am big believer in tailored training which focuses on the risk of each employee and delivers to them an appropriate level of training. Under Foreign Corrupt Practices Act (FCPA) training, for most employees I try to get them to leave the training with two key concepts: (1) do not pay bribes and (2) raise your hand if you have a question or if you see something suspicious. Armstrong agreed that such an approach is also appropriate for GDPR training, particularly ‘raising your hand’. He noted, “I think a lot of the breaches that we see the reason for the delay is the person was trying to work out what went wrong or work out whether it’s a problem or not. And I’d say just raise your hand if you think that it looks weak say fishy if you think it looks unusual. Tell somebody about it immediately and I think for organizations they should have in place the equivalent of there ‘are no stupid questions culture’.”

As May 25 nears, you need to put these policies and procedures in place. Your training should also commence as well. I hope you continue to join Jonathan Armstrong and myself as we provide a Countdown to GDPR. For a fuller explanation of policies and procedures, visit the Cordery GDPR Navigator, which provides a wealth of information to utilize in your data privacy compliance program. Finally, Jonathan Armstrong will be in Houston on April 10, 2018 to put on a 3-hour workshop on GDPR. The event will be held at the South Texas College of Law, from 9-12 AM. You can find out more information on the event and register by going to the GHBER.org site. 

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com. 

© Thomas R. Fox, 2018