GDPR Readiness Assessment expert and CEO of PhoenixPro, George Korellis, discusses the implementation challenges faced by companies in the GDPR era.
The Regulation in Brief
The General Data Protection Regulation [“GDPR”] is the new EU regulatory framework intended to significantly upgrade privacy protection. Within its scope is personal data of living physical persons who are in the EU, excluding legal entities.
GDPR has far reaching business implications for large and smaller organisations alike. In addition to significantly increased ceilings for monetary penalties (in the extreme, the highest of up to 4% of worldwide turnover or €20 million), the new Privacy-by-Design requirement signals a significant shift in how personal data is required to be collected, processed, used and stored. Consequently, in addition to Marketing and Information Technology (already regulated, with further requirements by GDPR), other business workflows such as for HR (recruitment, evaluations), Distribution; Insurance Claims Handling; Sales; and others such as Production and Manufacturing, traditionally treated as outside the scope of privacy, must now be considered.
The main processing bases for GDPR compliance include firstly, legislation. Alternatively, if processing is executed under a contract with affected individual(s). Thirdly, if a Data Controller has legitimate interest (a term expected to be contentious and a matter for legal battles). Already used, is consent, which the individual must provide freely, without undue “bundling” within other terms or via language which is not “plain and simple”. Consent also needs to be evidenced, with safeguards against unauthorized tampering.
Notable GDPR concepts include: (a) Data Controller – the entity mainly responsible for the collection of personal data; (b) Data Processor – an organization or individual materially involved in processing personal data; (c) Data Protection Officer (or “DPO”), a role with challenging requirements, that can be delivered inhouse of using external services from qualified individuals or teams; (d) Privacy Impact Assessment – a key requirement intended to provide a safety mechanism preventing organizational initiatives or projects to result in adverse privacy impact and (e) Breach Reporting – the obligation of Controllers and Processors to notify their Regulator in cases of actual or suspected breaches, within 72 hours.
GDPR Implementation Challenges
GDPR presents multiple implementation challenges, the most notable perhaps being the need for a process architecture focused on prevention of privacy lapses (typically, not how organisations currently operate). Nevertheless, in seeking GDPR compliance, it is mission-critical that organisations should also remain successful and profitable!
Within this context, we outline certain key challenges we are addressing, working with customers in multiple industries.
The need for updates and changes to multiple aspects of People-Process-Technology, dictates that GDPR must be treated as a real project. Therefore, assigning ownership to an executive project sponsor, is as important as securing the necessary funding and prioritizing actions for team members to be involved. Also important, is having an effective mechanism for timely identification of the need for Privacy Impact Assessments, as is actually having the methodology, tools and expertise to conduct them. Another challenge revolves around choosing the DPO, between an inhouse resource (with the challenges this entails) versus using qualified 3rd party providers with expertise, resources and methodologies to discharge this important role.
To the question “is encryption and pseudonomisation necessary”, the answer is yes! Of course, normal risk assessment and cost-benefit principles also apply. As a rule of thumb, we recommend encrypting all GDPR-critical production systems and pseudonymizing all Test, QA and Development systems. Given however, the inevitable procurement and technical implementation challenges, it is critical to start the related work immediately. It is also advisable that encryption is not restricted to data at rest (such as in in databases or file servers), but extended to backups, DR-sites and transmitted data (“in motion”). GDPR owners should also ensure to address particular challenges regarding the use of cloud applications and external hosting. Additionally, the more one can reduce the use of spreadsheets, the easier it will be to achieve and maintain compliance!
In addressing requirements over GDPR User Rights (access, erasure, stop processing, deletion, portability, etc.), organisations should also ensure they implement feasible execution mechanisms and are able to honour defined retention policies, as those were communicated when receiving the personal data. Finally, one should not underestimate the effort and challenges in addressing “downstream risks”, specifically those emanating from vendors and external parties. Negotiating the necessary changes will take time and what one may perceive as reasonable, may in fact be strongly objected by one’s vendor(s). Therefore, start immediately and be ready for surprises!
In summary, with all its practical challenges, GDPR can in fact be a trigger for improving established processes and practices, and for implementing technological controls that ultimately safeguard your reputation and operations. All, whilst achieving regulatory compliance. Good luck with your projects!
Georgios A. Korellis is a Chartered Accountant by profession, who is a widely recognised GDPR expert and a Technology Leader with more than 25 of professional experience. The above article first appeared in the journal of SELK (The Institute of Certified Public Accountants of Cyprus).