Getting Ready for GDPR

Transcription

1 14 June 2017 Getting Ready for GDPR Adrian Hood, Policy Director, The Investment Association Justin Baxter, Partner, Crowe Horwath 1

2 KEY HEADLINES GDPR becomes effective 25 th May 2018, replacing the UK Data Protection Act 1998 Mostly builds on Data Protection Act, though with significant changes in some areas New legal and oversight implications of non-compliance - fines of up to 4% of global turnover As significant, growing risk of reputational damage to shareholders and to customers Implications for market perception / customer expectations GDPR is concerned solely with personal data, though this does include employee data Information Commissioner s Office (ICO) is the UK Supervisory Authority Regulations issued in 2016, but guidance continuing to be released. 2

3 GDPR IN 5 MINUTES 1. LAWFUL GROUNDS TO PROCESS much tighter rules regarding the legal basis that can be used for processing a person s data 2. COMMUNICATING PRIVACY INFORMATION & GAINING CONSENT requirements relating to enhanced privacy notices and for consent to be explicit, informed, freely given and verifiable 3. INDIVIDUAL S RIGHTS new rights relating to areas such as: correcting inaccuracies; erasure; portability; profiling; automated decision making etc 4. DATA SECURITY requirement not significantly different to DPA, but the implications of noncompliance are very different 5. BREACH REPORTING notification to ICO of major breaches within 72 hours 6. UNDERSTAND DATA be able to demonstrate an understanding of the data held by the organisation 7. DATA PROTECTION OFFICER requirement to appoint a Data Protection Officer responsible for data protection compliance. 3

4 POLLING QUESTION What aspect of GDPR do you expect to have the greatest impact on your business? A. Breadth of requirements - the breadth of impact of the GDPR requirements B. Data Subject rights - complying with Data Subject Rights, e.g. right to erasure, portability etc. C. Lawful processing - legal grounds for processing customer data, and gaining consent D. IT security - ensuring data and IT security requirements are sufficiently robust E. Third Party oversight - providing adequate oversight of third parties, and changes to supplier contracts. 4

5 KEY CHALLENGES SETTING THE BAR Principles based regulation open to interpretation No instruction manual to follow. DATA PROTECTION OFFICER Brand new role, lack of consistent market thinking Challenge of needing to know GDPR regulations, but also have an operational understanding of the business. UNDERSTANDING DATA Few companies fully understand the nature, location and use of the data they hold Needs to include physical and electronic data. DELETION OF DATA Inability to delete data from legacy systems Tension between GDPR requiring minimisation of data and the business value of retaining it. THIRD PARTIES Significant reliance on suppliers / outsourcers Volumes of contracts to review Approach to oversight of third parties. INTERNAL ENGAGEMENT Regulatory change, and data protection, is not seen as being very sexy Moving data protection from a 2 nd line compliance activity to be owned by the business. 5

6 POLLING QUESTION What is the current status of your GDPR project? A. Not yet started B. Just getting started - currently reviewing GDPR regulations and considering how to proceed C. Conducting gap analysis - project recently mobilised and currently focused on conducing a gap analysis against the GDPR requirements D. In implementation - project well underway with implementation activity progressing against agreed plan E. Addressing through BAU - informal activity underway to address requirements as a BAU activity. 6

7 AREAS TO FOCUS ON Governance & Policy Enhanced policies and standards that address the requirements of GDPR and determine the organisation s risk appetite in relation to data protection. GOVERNANCE (link to wider Enterprise Risk Management framework) POLICY & STANDARDS (enhanced policies to drive the standards and design of operational changes in line with risk appetite) Legal, Processes & Organisation Establishing the legal basis for use, the Data Protection Officer role, handling customer requests, managing third parties, responding to data breaches, transferring data outside of EEA, and implementing organisation and process changes. LAWFULNESS OF PROCESSING & CONSENT CUSTOMER REQUESTS (SAR; RTBF; Portability; Restriction) DATA PROTECTION OPERATING MODEL (DPO role; Privacy by Design; DPIA; Line 1 & 2 responsibilities) THIRD PARTY MANAGEMENT (legal docs; DD; oversight) BREACH MANAGEMENT & NOTIFICATION TRANSFER OF DATA OUTSIDE OF EEA (Standard Agreement; Binding Corporate Rules; Privacy Shield) Data Definition, Information Security & Data Retention Understanding, defining and documenting the data that the organisation holds, the approach to information security and data retention. INFORMATION SECURITY - ELECTRONIC INFORMATION SECURITY - PHYSICAL DATA DEFINITION (documenting uses and location of personal data) DATA RETENTION (deletion; obfuscation; pseudonomisation) 2017 Crowe Horwath LLP 7

8 CONCLUDING THOUGHTS AND POLLING RESPONSES For organisations - GDPR (data protection) is a significant operational risk that needs to be properly managed For consumers - GDPR is about conduct, and about being treated fairly GDPR is not a one-off - data protection, and the role of GDPR, will only grow in importance in the future Getting started - prioritise understanding your data Help and support - try using the ICO s online resources Expect ICO intervention - ICO acknowledge journey firms will be on to ensure compliance, but have also stated that there will be no honeymoon period after May 2018 The clock is ticking - May 2018 is less than 12 months away, time to get started! 8

9 CONTACT: Adrian Hood Justin Baxter 9