Records Management Perspectives:

Transcription

1 Records Management Perspectives: Unprepared, unaware, unmoved. Why companies must wake up to the challenges of the EU General Data Protection Regulation The power of memory

2 The business world is leaving it too late to prepare for the data protection revolution After four years of negotiation, on April , the European Union adopted the General Data Protection Regulation (GDPR). It will come into force in May 2018 now is the time to prepare. The EU wants to reform data protection and cut red tape for businesses across Europe by bringing in a single set of rules. In addition, the Regulation aims to protect the rights of European citizens, giving them better control over their personal data. Despite the Regulation coming into force there is increasing evidence that companies in the UK and Ireland are shockingly unprepared. And, in some cases, are alarmingly dismissive of the impact it will have. It should be a debate that grips every business of every size across every sector not just in the UK but across the whole of Europe. But many companies are burying their heads in the sand and playing a waiting game. It opens up the possibility that many companies will simply not be ready when the Regulation finally comes into place in May Guilty not only of underplaying the extent of the changes required but also of underestimating how long those changes will take to implement. We could also find a unique situation in the UK following the proposed EU Referendum because with so many companies holding the data of European citizens it would be necessary to comply even if the UK was out of Europe. We are not talking about a quick fix. Complying with the GDPR will not be as simple as installing a bit of software to make data accessible, editable and safe from breaches. Instead it will involve a complete change of culture in many companies, a complete restructuring of information governance systems for others, re-appraisal of security settings such as encryption and serious levels of staff training. Privacy by design is another key proposal of the legislation so the principles of privacy have to go back to the architecture and design of new systems as well as changes to existing processes. Crown Records Management commissioned a survey of senior decision makers across the UK, to assess how well prepared and informed businesses are about the upcoming changes. It seems that the UK has not yet woken up to the extent of the task ahead Respondents (all from companies with more than 200 employees), came from a wide range of sectors including public sector, insurance, banking, accounting, legal, retail, pharmaceutical and facilities management. Some of the results make alarming reading. One in five of those polled admitted they knew nothing about the changes One in five of those polled admitted they knew nothing about the changes. And more than two in five in companies with a turnover of more than 500m said they were not concerned about the impact of the new structure. No doubt some of those companies feel they are already addressing many of the issues being brought into focus by the Regulation. Google, for instance, has already prepared for the right to erasure by allowing EU citizens to apply for outdated information about them to be erased from its search engine, following a court case in Spain. A requirement is to appoint a Data Protection Officer (DPO) is already being met by some larger businesses. 2

3 Two in five are planning a staff training programme 50% aren t reviewing policies A third have already appointed a Data Protection Officer More than two in five decision makers with a turnover of more than 500m said they were not concerned about the impact of the new structure The time to raise Awareness is now For companies with more than a 500m turnover to say they are not concerned means they are not concerned about potential fines of 100m, or four per cent of global turnover. Considering most companies of that size are likely to be part of the FTSE 350, how many shares does that represent? How would such a fine affect dividends? For mid-range companies, such fines could be crippling. Perhaps that is why in our survey more than half of respondents working for companies with a turnover of 100m 500m were concerned about the Regulation. The big question is not just whether businesses are worried or not, but whether they are being proactive and taking early action to prepare. Again, the survey suggests that many businesses are not realising either the benefits or the dangers of the Regulation. Nearly a half of companies who know about the GDPR reported they were reviewing their policies. A third of those said they had appointed a DPO and two in five were planning a staff training programme. But what about the 50 per cent who aren t reviewing policies? The two-thirds who still don t have a DPO? Or the three-in-five who have no plans in place to train staff and change the culture of their company? 3

4 The advantages of preparing EU General Data Protection Preparation The reasons to act quickly are compelling: 1. The job is far bigger than you think it is Few companies can be certain they know exactly what data they have, where it is, how to access it and whether it actually needs to be kept. It takes time to find the answers. Putting the right processes in place may take longer than you expect. Significantly the new GDPR makes it clear that paper records as well as digital records will fall under its remit. If you are a big company that already complies with data rules you may well think you are okay. It s an easy assumption to make. But it s a mistake. Big companies and older companies have vast quantities of paper, often stored by third parties, and access is going to be an issue. 2. Good data governance and treating data as an asset can raise profits There are significant commercial benefits to being able to access information quickly and to freeing up space by securely destroying unnecessary data. Retaining less data can not only save on power and hard drive storage costs but may even allow companies to reduce the size of offices, saving money on commercial rent and business rates. At the moment keeping data beyond its retention date is relatively cheap and seen as a safe option. But once the GDPR comes in, citizens will have a right to access that data and to ask for it to be edited. The extra costs could be significant, even though the data itself has little value to the company storing it. Similarly those in the marketing department with a database that features double opt-in and a B2B client base may well feel safe and compliant. But do they have any idea that other departments have filing cabinets full of personal data? 4

5 3. There is a threat of reputational damage if you are one of the first to be investigated For a large company on the radar of the authorities, demonstrating your preparation is taking responsibility early and could actually buy goodwill when the new rules take hold. The regulator will almost certainly be looking to make examples of companies who are not compliant. 4. Complying with the Regulation will cost money; most companies will need time to budget Almost 40 per cent of respondents who knew about the GDPR indicated they were worried about the cost of implementing it and with good reason. Costs range from paying for a data audit, which doesn t have to be expensive, to bringing in new systems, employing new staff (including potentially a Data Protection Officer) and bringing in staff training, which almost certainly will be. There may even be capital expenditure. Some companies, for instance, may feel they need to redesign reception areas to make sensitive private information less visible. There may be a need, too, for databases to be reconfigured. Few organisations have truly implemented Master Data Management and often hold various conflicting details such as contact information. IT budgets are notoriously over-stretched already too, so finding that money will take time. On a positive note: multinational companies will only have one set of rules to comply with not Customers and stakeholders will be more comfortable if you are seen to be looking after your data The public interest in the right to be forgotten case which has seen Google and other search providers forced by a court case to remove outdated personal information from searches when requested, has gained huge publicity. So too have stories of data breaches at some of the world s biggest companies. In future the pressure on companies to keep personal data safe and to make it accessible and editable is going to be huge. Internet customers are notoriously fickle they can be lost as quickly as they are gained. Companies that are seen to be ahead of the game on data protection will have a commercial benefit. It s not just about complying but about being seen to comply. Privacy, once regarded as a nice option, is now a fundamental necessity. 6. Finding a Data Protection Officer early can save you money The Regulation requires all companies to appoint a Data Protection Officer. The best may well be able to ask for big wages; so the longer you leave it the more it is likely to cost. Salaries will rise the nearer we get to deadline and the suspicion is most companies will wait until the month before the Regulation comes into force. 5

6 How long will it take to be ready for a new data world? Perhaps the biggest question businesses need to ask themselves is how long will it take to prepare for the EU General Data Protection Regulation and when should they begin? The first part of that question is not easy to answer because an ongoing programme of reform is required. How long such preparation takes will depend on what a data audit finds and how much needs to be changed. The second part, however, is far simpler: time is of the essence and the sooner you start, the better. A data audit alone can take weeks, perhaps even longer for larger companies and if legacy systems need updating. That timescale will need to be extended. Staff training is likely to take months; a change in company culture even longer. So although the GDPR may not be enforced from May 2018 there is still a need for urgency. 6

7 Here is a basic guide on how to start the process 1. Begin with a Information audit If you don t know what data you have in the business and where it is, you have no chance. Paper and electronic files will both be included under the regulation which will cause companies some serious problems. If you don t audit you have no chance of fully complying. 2. Decide what data to keep The idea of keeping every record just in case is no longer valid because, as the data universe increases, overflowing databases will soon slow down processes and become unmanageable. A vital part of good data governance is knowing which data is useful and which is likely to have no value or many even end up costing you money. A common problem, for instance, will be what to do with the old data of people who have neither opted in or out. Companies will now have to communicate with them or lose the use of that data. How do you reconnect with people who are no longer customers and is it cost or time effective to do so? 3. Securely destroy unnecessary data Very few businesses come out with 100 per cent following a data audit so there will be remedial work to do. Companies may need to securely destroy unnecessary data stored on paper for instance data that is no longer needed or has been kept beyond the retention policy date. Many people in the industry are predicting a boom time for secure destruction before the regulator comes knocking a sudden rush to pulp. 4. Set a budget for a Data Protection Officer and oversee the appointment This will be a key appointment for larger companies but also for many smaller ones that handle a high volume of personal records. For the latter it may be necessary to outsource the role and we may well see specialised DPOs covering several clients. Either way it will incur a cost and needs to be budgeted for and driven forward. It is worth noting too that even companies which do not require a DPO, the necessity for someone to take ownership of data is still there. 5. Begin staff training and review your information governance framework Staff training will be crucial to meet the requirements of the GDPR and to avoid data breaches. With most data breaches stemming from individual error or bad process design the focus should be on ensuring every employee, at every level of the business, understands the importance of data protection. All employees need to be aware, trained and act as responsible information owners. They should understand the vital importance of passwords as well as encryption, access rights management and the sensitivity of information. Software and security patches should be kept up to date. Employers should also ensure staff exiting an organisation are as carefully managed as those joining. 6. Put a clear and effective reporting process in place for data breaches The Regulation will also put in place strict guidelines on how quickly a breach is reported. To achieve this all employees (and especially those in customerfacing roles) need to understand what is a record and what is not and to understand what a breach is and what it will mean. With such a tight deadline to report, it may not be feasible for a CEO or CIO to have sole responsibility for spotting and reporting a breach. Many businesses may find their information governance framework is not fit for purpose under such strains; it needs to be clear who is responsible for every type of data in a business. Furthermore, the inclusion of physically-stored data in the Regulation for instance paper-stored records in box files and filing cabinets may require an update in policies. 7

8 THE REGULATION WILL AFFECT ALMOST EVERYONE MANUFACTURING FINANCIAL SERVICES PHARMACEUTICAL HEALTHCARE LEGAL PUBLIC SECTOR The EU General Data Protection Regulation will affect almost every UK business that collects or handles the personal data of any European citizen. It will have a significant impact across every sector and, as such, demands early attention. It is too easy to say that 2018 is a long way off or that, with the final details now confirmed, there is time to take stock. The reality is that time is short and the changes required are significant. The time to act is now. This article was authored by John Culkin of Crown Records Management. If you have any questions regarding this article, or would like to find out more about other services provided by Crown Records Management, please contact John at jculkin@crownww.com 8