GDPR comes into force on 25 May 2018. How will your business implement the changes?
Chris Bollard is a partner in the technology and innovation team at Matheson, and advises clients on a whole host of data protection, information technology and intellectual property issues. In conversation with Siliconrepublic.com, Bollard discussed an issue facing nearly every business in the coming months: GDPR.
From misconceptions to key planning elements, Bollard discussed practical steps that can be implemented now, as well as issues to consider.
GDPR: How to manage the process
Don’t think GDPR doesn’t apply to you
Bollard noted that there is a “slight perception in the market that it [GDPR] only really applies to large MNCs or public bodies, but the fact of the matter is that GDPR is going to apply to every Irish business and organisation, even if that’s just with the employees within your organisation”. If you’re a small company, don’t think the new rules will not apply to you.
There’s no deadline for compliance
According to Bollard, some companies perceive the enforcement date on 25 May as “some form of deadline and that once you hit it, you can sort of sit back but actually, it shouldn’t be viewed this way”.
Ongoing compliance should be the real goal for every company affected by GPDR. “It’s not enough to be compliant on the 25th of May and just forgetting about it or do nothing after that.”
Accountability is one of the key tenets of the regulations, which will become a feature of life for us all come May.
Panicking won’t solve anything
Companies looking at GDPR have valid reasons to feel daunted by the task of becoming – and remaining – compliant in the next few months, said Bollard. “The GDPR is a very large piece of legislation with potentially far-reaching consequences, so you can work yourself up into a bit of a panic trying to bite it all off at once, because there are very specific technical requirements across a whole host of data processing.”
Bollard said a great place to start with is reviewing the company’s internal data flows to gain much-needed insight, which not everyone can say they are doing at present. “So, if you’re processing data and obtaining it from a third party, you need to understand the basis on which you are processing it.”
To put it bluntly, “get your own house in order”. Once you have a handle on this, you can do a gap analysis and consider data retention periods. Is your business holding on to data longer than it needs to? Are you able to stand over all the processes you are carrying out with data?
According to Bollard, nine out of 10 privacy policies on company websites will need to be updated pre-GDPR. He explained that it would be “no harm” for companies to begin a review of their data notices or information they are communicating to people, whether they are end users of an app, employees or customers.
Do you need a DPO?
Depending on the company, you may have an obligation to appoint a data protection officer (DPO). Even if you aren’t part of a mega-organisation, it is still worthwhile to appoint someone to set standards for best practice throughout the business.
A holistic approach
Compliance will be a challenge due to the nature of the regulation, said Bollard. “The GDPR is basically principles-based regulation. Some of the standards are subjective, meaning compliance will mean different things to different organisations. I would counsel clients to be suspicious of one-size-fits-all solutions.
If you are charged with GDPR compliance, Bollard recommends trying to view things in terms of what it is seeking to achieve, rather than get wrapped up in worries about fines.
He stressed the importance of taking a holistic approach to compliance, and said it is crucial to educate your entire team. “Internal education is important and so many potential breaches can be avoided where people have a good level of awareness of what they can and can’t do.”
If an unencrypted laptop with confidential files goes missing in a taxi, you will certainly want your team to know what’s best to do once confronted with GDPR.
An overlooked aspect
Bollard also mentioned the importance of an “often overlooked” topic: data protection in the employee-employer relationship. “There are a huge range of data protection issues that crop up in the employer-employee relationship; they come up almost more frequently than any other relationship.”
He cited the increased use of employee-monitoring software as a growing area of discussion in this space. “It’s very easy to do employee monitoring in a way that breaks data protection laws, so if you’re proposing to roll out monitoring software, you need to ensure the software is proportionate to what you want it to achieve and it doesn’t infringe on employee or data protection rights.
“At the very least, as a golden rule, you should not be carrying out employee monitoring without ensuring that employees are on notice of such monitoring.”
New territories
Bollard also made mention of the far-reaching territorial provisions of GDPR. “If you are processing data of EU residents in the context of goods or services, or if you’re monitoring behaviour, then you are subject whether you’re in New York or Timbuktu. Companies from outside the EU should consider appointing a representative to deal with regulators there.
Expect an increase in breach reports
GDPR will see the office of the Data Protection Commissioner (DPC) wielding much greater powers, particularly in how companies in Ireland deal with data breaches.
Bollard explained: “Breaches are going to become a much larger feature under the landscape of the GDPR. Currently, breaches are supposed to be reported to the DPC but that’s not technically mandated. Come GDPR, all breaches will become reportable. The provisions are quite prescriptive.”