After the revised data protection law came into force earlier this year, organisations that had been frantically dashing to meet the deadline for amending their policies and procedures paused to take stock of where they sat in terms of GDPR compliance. While the breather might have been welcome, data protection should not fall off anyone’s radar.
The infamous 25 May deadline was not the end of the process – instead it marked the start of companies’ GDPR journey. While work before the deadline involved getting the right people and measures in place to be GDPR-ready, the emphasis should now shift to putting the systems into practice: to testing the resilience of the new systems and the effectiveness of controls over them.
Many worry that the GDPR rules are more stringent than those that went before, with substantial increases in fines for non-compliance. The good news is that the Information Commissioner’s Office (ICO) has said that it won’t automatically impose fines. “They can impose sanctions and take mitigating circumstances into account,” says Jane Berney, ICAEW business law manager.
“There is discretion; not everyone is going to suffer an automatic fine of 4% of global turnover.” However, no organisation – no matter how small – can ignore the potential for fines. In July the ICO levied a £100,000 fine on the British Bible Society for failing to implement some fundamental technical and process controls under the previous Data Protection Act 1998.
While some of the problems uncovered were basic, such as poor password policies and lax remote access, the message was clear: no organisation that processes personal data can think itself immune from the ICO’s reach. So economia spoke to several accounting firms and ICAEW experts to learn about the practical issues they have come across so far on the GDPR journey and their ideas on how best to tackle these.
Who’s in charge
A data protection officer (DPO) is not mandatory but every organisation should have someone senior or high enough in the hierarchy to keep compliance as a standing item on board or partnership agenda meetings, and who can understand and manage conflicting views. Conflicts will happen because some think of GDPR as a legal- or compliance-led project, while others say it should be driven by technology.
Margaret Bowler, head of business risk and quality assurance at Grant Thornton, says it’s both of these – and more. “It also encompasses areas such as marketing, document retention and confidentiality,” she says. In acknowledgment of this interrelatedness, Grant Thornton has set up a data protection governance group, which has representations from all the different client service areas and internal support functions.
“GDPR is multi-faceted and needs a joined-up approach,” Bowler explains. Luther Teng, senior manager in EY’s risk advisory, advises clients on their GDPR. He says that this need for a multi-faceted approach can mean companies face issues in finding people with the right skills to act as DPOs. “DPOs need to understand the business requirements and translate this into what it means for technology and the rest of the business,” he says.
Part of the ongoing process for GDPR compliance is to know what data the organisation is holding, why it is holding it, and whether it needs it. A good example, says Berney, is an auditor looking at payroll. “Previously many clients simply handed over the whole payroll to the auditors. This should no longer happen. To prove the systems work, you might have various types of data for a number of employees to test the system. But you can anonymise the data, or not keep it after the tests have been done. And all data should only be accessed by the people who need to have access to it.” John Moore is one of two partners in accounting practice Kingly Brookes and is responsible for GDPR compliance within the firm.
His preparations had included visiting the ICO website and when it was time for the data mapping, he filled out the ICO templates. “We probably didn’t have to do this but I wanted to make sure we were working from the bottom up,” he says.
“Even for a small firm the data mapping process is more onerous than you might expect.” Organisations should continually review the need to keep data that identifies people and remove it, says Mark Taylor, ICAEW technical innovation manager. “It’s generally a good strategy to minimise the data your organisation holds. The less data you hold the less you have to worry about, to protect, to organise, to search and to back up. Ultimately this reduces costs and improves business resilience.”
Firms need to think about the GDPR compliance of new suppliers, such as cloud providers, when changing services. Most responsible organisations publish a statement about their compliance and will state where the data is being stored and the standards they adhere to in protecting the data.
But it’s best not to assume this, says Taylor. “If you want to change any supplier, part of the decision-making process should be to check whether they are GDPR-compliant – whether what they are saying they do stacks up.”
The temptation for many is to see what tools are available in the market and jump straight into one of them. Teng has seen this happen a number of times and cautions against this approach. “You need to walk before you can run – and the running part here is the tech,” he says. EY performs a gap assessment to see what the business needs are first before translating this into the platform requirements for maintaining privacy assessments, logging issues and management response, forensic tools, and so on.
“We have to remind clients to go back to the basics of people, processes and technology,” Teng says. “They are often thinking about technical breaches. But what about the people and process side if, for instance, a cabinet full of HR files were found on the street?”
Many of EY’s clients are still coming to grips with the magnitude of the third parties they are dealing with, from offshore front-line support centres to using the cloud as a platform or as infrastructure. Teng says that some still haven’t got to grips with how far the personal data they manage is shared with third parties and how far across the EU and EEA border it’s gone.
“From an accountancy perspective, a lot of finance systems are more cloud-based now. There’s an increasing dependency on using third parties to ensure the data is not just protected and secured but that integrity is built into the system, especially for financial reporting purposes.”
Grant Thornton’s focus on staff training has been to develop understanding and awareness. The firm has developed what Bowler describes as “a fairly intensive” online GDPR training exercise and conducts detailed workshops with the parts of the firm that deal more with personal data.
One of the consequences, says Bowler, is that people are more aware of how personal data is being processed and managed and their part in that. “People are coming to us and saying: ‘This has happened, is it a breach?’” she says.
“None of the incidents are, but I think it’s brilliant that people are alert to the fact that it’s their own personal responsibility to identify them.” While the temptation is to think that only new staff will need training, everyone should be getting regular updates, says Berney. “Staff training needs to be an ongoing process with all relevant staff doing refresher training every two years to remind them and keep them informed of changes.”
Getting policies right
Policies and procedures need to be reviewed regularly, as should compliance with them. “It’s all very well saying ‘we keep files for six years’, but if you keep them for nine then you’re not adhering to your policies. These policies can be changed if necessary but you have to monitor them to see whether they need changing,” Berney says.
Moore drafted Kingly Brookes’s policies from scratch, something which took him a while as there was little guidance on the format and detailed content of the policies available at the time. ICAEW has published its own guidance assisting firms in achieving compliance and Moore has checked the firm’s procedures and documentation off against this.
When designing the policies, he had to know what people were doing in practice. Take technology. “Before we had oral policies that people couldn’t use flash drives or store data on laptops. Now these instructions have been formalised in our written policies. We’ve probably got a much clearer understanding with our IT service provider about breach identification and processes than we had before. And our policies are now issued to staff as part of their contractual documentation.”
Bowler’s priority now for Grant Thornton is keeping GDPR in everyone’s mind as a continual responsibility to make sure procedures are in place and working. “This requires ongoing monitoring and being aware of opportunities for improvement so we always have a continuous improvement environment. And to protect people’s personal information by our systems and our people.”
While she was originally frustrated by all the noise around GDPR, Bowler thinks this publicity has helped make people alert to the issue. “There’s a lot of misunderstanding. People think it’s about consent whereas it’s about the lawful basis of processing and how you protect your data. And it’s about how this sits within the firm’s culture and the interdependencies between systems and people. Most of all it’s about not taking it for granted: keeping up ongoing monitoring, education and awareness.”
ICAEW’s GDPR hub page includes a checklist and is regularly updated for new guidance. Visit icaew.com/gdpr