While organizations may think that they have done everything needed to prepare for GDPR, they may not have thought about how they arrive at assurance over GDPR, especially considering that being prepared for GDPR is different from having GDPR as part of operations.
GDPR has now been in force for over a year, so would it be correct to assume that all organizations have taken the necessary steps to ensure compliance? Based on our work and feedback from others, it appears that this is not the case, and far from it. But the big question is will the magnitude of the recent fines imposed on British Airways (£186m) and Marriott (£99m) make stakeholders think again?
What does the Information Commissioners Office (ICO) expect of an organization?
That’s quite simple. The ICO expects that all organizations, no matter their size, are taking the protection of personal data seriously and that they are looking after the interests of the data subject. The ICO would expect all organizations to have compliance with the legislation at the core of operational activities. This means that in respect to personal data they are:
- Doing the right things;
- Doing them in the right way; and
- Doing them well.
Clearly both British Airways and Marriott failed to convince the Information Commissioner that they were doing the right things and had done all they could to protect the personal data of their customers, but why are the fines so big? Is it because the ICO is making examples and sending out a message to those organizations who approached GDPR as another compliance headache and did the bare minimum or, worse, ignored it completely? Possibly, but equally it could be because both companies failed at a fundamental level – they failed to safeguard their digital estate.
But it could have been much higher. BA’s fine was 1.5 percent of global turnover; it could have been up to 4 percent. It is also noteworthy that Marriott incurred the £99 million fine because it acquired another hotel chain in 2016 – and it was this hotel group, Starwood, that had lost customers' data through a cyber breach.
While many organizations have invested a great deal of time and energy to be compliant with the regulation, many have failed to recognize the business value.
Instead of viewing GDPR as another regulation you need to comply with, consider the potential business benefits. Why wouldn’t you want to ensure that your data is:
- Obtained fairly and lawfully
- Recorded accurately and reliably
- One version of the truth
- Held securely and confidentially
- Used effectively and ethically
- Shared appropriately and legally
Deliver Business Value … Comply with GDPR
GDPR is also about value and trust in data, a central element of information governance. Information governance encompasses, among other things, information security or, at a digital level, cybersecurity.
There are many organizations that were taken in with checklists and companies offering one-stop technological solutions, without taking the necessary steps to understand how personal data flows through the organization, as opposed to designing and implementing a framework that will fit with the culture and ways of working of your organization.
Then there are those organizations that complained “it’s not fair” and placed it on the “too difficult to do” pile.
On many occasions, senior stakeholders have told me that they could not see how GDPR affected them as they didn’t collect, store or process personal data – in all cases they had failed to grasp that employment data was personal data.
Absorbing GDPR into business as usual requires a holistic approach to information governance.
People, processes and technology – the guidance issued by Working Party 29, responsible for developing the regulation and the ICO, spelled it out: raise awareness, train, develop processes and procedures, tighten up on IT security.
How can doing the above build business value? It can be a differentiator, especially if you buy into the view that we are moving from the information age to where reputation is paramount.
In the marketplace, competition is fierce and choice is not restricted by geography. We no longer just rely on the shops on the high-street or local businesses to fulfill our needs.
Could it be that in the not-too-distant future we will be looking at a “data trust index” when making our decisions over which internet business we want to interact with? So, will a business whose reputation is damaged because it cannot be trusted with our data be overlooked the next time we go shopping?
In GDPR terms, even those organizations that embraced the challenge are only at the beginning of their journey. Organizations collect data for a whole host of purposes and from a range of sources.
The simple question is why we spend time and resources collecting, processing and storing this data? The simple answer should always be because it is necessary to assist in achieving business objectives. If this is the case, then the data collected must have value and be worthy of being safeguarded. If something has no value, why do would we acquire it?
For the last year or two, the focus has been on GDPR, but in reality, many progressive organizations have been using GDPR as a way to improve their overall approach to information governance.
Looking forward, it is how we incorporate GDPR into information governance that will lead to a certain level of GDPR maturity. There is also a real prospect that protecting personal data may fall as part of annual audit requirements.
But it’s not just about our organization; it’s also about organizations with which we share our data. If we do not manage our third-party data-processing relationships appropriately, our reputation could be impacted upon by their negligence. Even if there is a breach in a third party’s data security, we are still accountable; therefore, it is our responsibility to make sure that the third parties we work with are looking after the data we share.
GDPR does not reflect a whole new philosophy with regard to personal data; rather, it builds upon the basic application of good information governance practices, albeit with a greater emphasis on transparency than an auditor might be accustomed.
Providing audit assurance on GDPR is not a one-off process; the regulation requires auditors to consider personal data throughout the enterprise:
- GDPR centers on the quality and accuracy of the data collected – a core tenant of information governance is reliability of information.
- GDPR focuses on the security of data. In information governance, we also consider security data and look at the processes we’ve got in place for data loss management. We don’t want to lose data, but if we do, we need systems in place to inform us that a breach happened.
- In GDPR, we need to ensure that personal data is accessible. In information governance, we also need to be able to access data – this is the way we leverage value out of information.
What can you, to reduce your risk of a fine? Here are some key points of consideration:
- Complete a data audit, develop a Record of Processing Activities and conduct a risk assessment of the data collected, processed, stored and shared.
- Know who all our third-party suppliers are, and any of their suppliers who handle our personal data, and make sure that they have the appropriate processes in place and they are working effectively.
- Draw up privacy notices and have them readily available.You don’t have to get the data subject to sign them; just ensure that the data subject is aware where the notice can be found.
- Add cookie statements on websites.
- Develop processes and template letters that underpin the way to address individuals’ rights when they make a subject access request.
- Raise awareness across the organization, train staff how to deal with personal data and assess their understanding.
- Review contracts with suppliers and customers and, where appropriate, put Data Processing Agreements in place.
- Review information security arrangements to ensure that all sensitive and personal data stored and processed is appropriately protected both at rest and in transit.
• Provide data subjects with their personal data in electronic form, which facilitates portability.
- When making changes to the systems used to collect, store and process data, develop a process to undertake a data privacy impact assessment to ensure a full understanding of how actions and activities may impact the rights and freedoms of the data subject.
- Review all business processes that touch on personal data to ensure GDPR compliance is embedding into “Business as Usual” and becoming an integral part of daily operations.
- Be able to demonstrate that GDPR-related processes are operating effectively and consistently.
Don’t let your organization be the next one hitting the headlines for receiving a large fine from the ICO. The fine is only the start of your worries – reputational and brand damage could cost much more!
Don’t Panic, Help Is At Hand
There are a number of sources of information to help us, including:
ISACA’s GDPR Resources: https://www.isaca.org/info/gdpr/index.html
ISACA’s Cybersecurity Resources: https://cybersecurity.isaca.org/info/cyber-aware/index.html
ICO’s 12 Steps: https://ico.org.uk/media/for-organisations/documents/2014918/dp-act-12-steps-infographic.pdf
NCSC’s Cyber Essentials: https://www.cyberessentials.ncsc.gov.uk/
NCSC’s 10 Steps to Cybersecurity: https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security
NCSC Board Tool Kit: https://www.ncsc.gov.uk/collection/board-toolkit