The introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act (2018) have combined with the Privacy and Electronic Communications Regulations (PECR) to create a perfect storm of regulatory difficulty. Every business in Europe is affected, regardless of size, and the enforcement has begun!
For added clarity on the importance of GDPR compliance, and some expert advice on its relationship with document management, be sure to consult our DRMS briefing written by industry expert Humperdinck Jackman – Is your organisation GDPR ready?
The GDPR and PECR govern how any organisation manages, protects, and communicates with people. The scope is wide: it includes all personal data of residents of the EEA. As we advise our clients, it’s not just the obvious data which is covered, but also includes, computer IP addresses, anything to do with health, financial details, a person’s CV, and even their corporate email address.
Yes, there’s the threat of significant financial penalties for non-compliance (and even criminal prosecutions of Company Directors), but what of the reputational damage of being the next organisation to hit the headlines? When you consider that even sending an email to an unintended recipient can be a breach, it becomes clear that expert guidance is required.
Whatever you do, and whatever the size of your organisation, we believe you must start with a thorough GDPR Readiness Assessment. Ours is generally 70 questions, covering seven distinct topics. A weighted scoring system then generates a relative score against which you may see your compliance – and risk exposure – at a glance.
After all, if you can’t measure it, you probably can’t fix it!
Fundamental to the regulations is the requirement to identify your lawful basis for data processing. Contrary to much ill-informed guidance, this extends far beyond seeking consent. Perhaps it is in your legitimate interest, for the fulfilment of a contract, a legal obligation (and others too). These must be documented in advance!
At the very heart of compliance is the Process Register, also known as a Register of Processing Activities, or ROPA.
This is a specialist document to document the life-cycle of personal data from when it enters the organisation, where it’s stored, it’s usage, retention, sharing, and much more besides. Without the Process Register, it’s impossible to construct a Privacy Notice, or to document your lawful basis for processing personal data.
Example of a Process Register – ROPA
Following on from the Process Register, you will develop your Risk Register. This complex document is used to evaluate the threats surrounding the use of personal data.
For example, if within the Process Register, you see that personal data is sent via email, then you will be tasked to consider the risk posed to the individual if that email was to be mis-directed. If the risk remains high, then you might need to perform a Data Protection Impact Assessment or, perhaps, you’ll need to get the Information Commissioner’s Office involved.
Example of a Risk Register
You will find it helps manage your progress if you present the data from the Risk Register in the form of a Heat Map, as in the simplified example below.
How will you manage a Data Protection Impact Assessment (DPIA)? Remember that failure to perform a DPIA – or performing one improperly – can lead to a fine of up to €10m! This can be a fearsomely complex document to complete, and there’s no ‘one size fits all’ option. In a larger organisation, there may be 100’s to complete, and in an SME, perhaps not even one.
Coupled with the above, you require documentation – policies and procedures – to adequately document your compliance. After all, how do you prove the email or postal communication was legal to send? Your PIMS is a template for you to develop and integrate with your existing policies. It’s your ‘master control’, a live document unique to your organisation and, like your Process Register, will require your continual attention and adjustment.
A major hurdle is the strict legal requirement that any data sharing between organisations is covered by a Data Sharing Agreement. These take many forms, and it is careless to risk your organisation by using one merely ‘found on the internet’. Our specialist draft customised contracts for us both in the E.U., and for transfers to Third Countries, such as the USA.
Consider the consequences of either a data breach or a Subject Access Request if you had to respond today. Do you know how to react? Do you blindly notify the Information Commissioner’s Office (the ICO), the data subject, both or neither? Do you have the legal documents required? How would you know what data to reveal? When? Such factors are part of the Advanced UK approach to supporting our clients. We guide you through the complexities.
There’s no certificate of compliance available, nor any ‘certified’ software, but there are best-practise approaches to ensure you implement an effective program of change management.
Our team of consultants guide you through a readiness assessment, and develop the documentation, processes and procedures required. Throughout, there’s practical guidance, helping you to navigate the additional requirements of the PECR and the Companies Act too.
The introduction of the ePrivacy regulation (e-PR), will affect every organisation, from the smallest SME to the large corporation will have to implement change. For many, the effects could be catastrophic: the draft regulation proposes that even business to business (B2B) communications will require consent!
We are ready to assist: we can explain how your organisation may make strategic changes to stay ahead of your competition. While everyone else is sending tens of 1,000’s of ‘consent’ emails, you will be sitting back watching the chaos.
Our data protection / privacy consultancy team is headed by Humperdinck Jackman, a career specialist in the field of Records Management and Privacy. Humperdinck is the Data Protection Officer for the world’s largest children’s charity, two international software corporations, and also for a major school’s Trust.
Humperdinck explains, ‘Clients like pragmatic advice, delivered in a no-nonsense fashion. They want to work with you, and not receive just lectures’. As our clients tell us, Humperdinck has a skill in making complex topics understandable.
Throughout your regulatory compliance journey, you may realise you could benefit from technological solutions to enhance your position. We’ve gathered several of the core components which include:
At Advanced UK, we have over 25 years’ experience in the document solutions integration sector and are one of the longest-serving Xerox partners. Our decades of Records and Document Management experience make us excellently positioned to help ensure your compliance, and to avoid GDPR penalties.
Contact us today to see how our team might assist. Don’t wait until you are fined or appear in the headlines for the wrong reason.
