There are now less than 12 months until GDPR D-Day. The 25th May 2018 will usher in new robust structures for any businesses who process personally identifiable information about anybody who is an EU citizen.
The fines for a GDPR breach of 20 million euro or 4% of global annual turnover have been widely documented. This has been further strengthened with recent analysis from global management consultancy Oliver Wyman that found FTSE 100 companies could face fines of up to £5 billion a year if they don’t comply with the new regulation.
GDPR goes beyond the realms of merely ticking the boxes and hoping for the best. It is imperative that every business gets this right, and the key to this is accountability.
The need for accountability in data privacy can be traced back to 1980 in the privacy guidelines then issued by the Economic Cooperation and Development (OECD) that described accountability as “showing how responsibility is exercised and making it verifiable.” This definition also lends itself to how GDPR will be in practice. GDPR seeks to strengthen the responsibility of data controllers and data processors in relation to the processing of personal data.
The measures organisations must put in place include documented processes, data protection impact assessments and a data security methodology. They must also appoint a mandatory data protection officer for any large-scale processing of personal data, and to ensure the keeping of up to date records regarding processing activities.
Accountability Underpins GDPR Rollout
The European Data Protection Supervisor (EDPS), in their Accountability Fact Sheet, state that accountability in personal data processing requires:
- Transparent internal data protection policies, approved and endorsed by the highest level of the organisation’s management.
- Informing and training all people in the organisation on how to implement the policies.
- Responsibility at the highest level for monitoring the policy implementation, assessing and demonstrating to external stakeholders and data protection authorities the quality of the implementation.
- Procedures for redressing poor compliance and data breaches.
Although the word accountability appears seldomly in the GDPR, the core concept of accountability underpins the entirety of GDPR.
- Article 5: Identifies the Data Controller as the person responsible for ensuring compliance with the principles in GDPR surrounding personal data processing In addition to ensuring compliance with GDPR principles, the data controller must prove it via a series of procedures that make data regulation a verifiable practice.
- Article 24: States that the Data Controller should implement, review and update organisational processes to show that processing operations are carried out according to the new rules.
- Article 39: States that it is up to the Data Protection Officer to “monitor compliance with this regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits.
Businesses need to demonstrate that they are properly compliant, which includes practicing and enforcing the policies and procedures outlined by GDPR. It is up to businesses to build a framework upon which a culture of privacy can be established.
This means real change to the culture of an organisation. Accountability isn’t something that can be an afterthought of your GDPR preparation, rather it needs to be at the core of your GDPR plan now, in May 2018 and forever more.
GDPR fines won’t just happen when a huge cyber-attack or event happens, they will hit hard whenever there is found to be no data protection impact assessment, a lack of data protection officers in an organisation and an inability to put in place an end to end GDPR lifecycle. Even one piece of the puzzle missing could cost companies huge amounts of money.
GDPR requires organisations to be compliant with the new regulation, but it also offers the opportunity to enhance your business by committing to the ethical use of personal data. You can use this onus on accountability to present your organisation as a bastion of individual privacy rights which can play an integral part in whether someone chooses your company over a competitor.
The time to act on GDPR is now, but it’s important to remember that any plan you put in place must have accountability as a core component to enable you to be compliant on May 2018 and future proof your organisation for years to come.