On 25 May 2018 the General Data Protection Regulation (“GDPR”) comes into force in the UK, introducing significant changes to the responsibilities of organisations that collect, store and share personally identifiable information.
Many of the principles behind the GDPR are the same as those for the current UK Data Protection Act (“DPA”). This means that if you have robust, established arrangements for complying with the DPA, you will be well placed to prepare for the GDPR. However, even if this is the case, the GDPR requires new processes to be implemented and some existing processes to be undertaken in a different way to meet the requirements.
What steps should organisations be taking?
The most significant change is the new accountability principle. Article 5(2) requires organisations to demonstrate that they comply with the principles and states explicitly that this is the organisation’s responsibility. The Information Commissioner’s Office (“ICO”) requires them to:
- Implement appropriate technical and organisational measures that ensure and demonstrate that they comply with the GDPR
- Where appropriate, appoint a Data Protection Officer
- Maintain relevant documentation on processing activities
- Implement measures that meet the principles of data protection by design and data protection by default
- Use Data Protection Impact Assessments (“DPIAs”) where appropriate.
The expectation is that data privacy governance will be strengthened with more robust reporting to Board level and stronger control structures established to ensure the organisation, its employees and third parties are aware of their respective obligations under the GDPR and other data protection legislation.
The conditions for consent have been expanded under the GDPR. In particular, organisations need to be able to demonstrate clearly how the individual gave their consent to data processing. Mechanisms for obtaining and documenting consent therefore need to be reviewed thoroughly and amended as appropriate to reflect the additional requirements of the GDPR.
Under the GDPR there is a legal duty for all organisations to report personal data breaches. The ICO must be notified of data breaches without undue delay or within 72 hours, unless the breach is unlikely to be a risk to individuals. Robust procedures for detecting, reporting and investigating data breaches need to be established to meet the GDPR requirements.
Public bodies must appoint a Data Protection Officer to lead and advise on data protection initiatives, monitor compliance and be the first point of contact for the ICO and for individuals whose data is processed. Most organisations are not obliged to make a new appointment and are therefore likely to adopt an approach which builds upon their current governance framework.
Under the GDPR, it is expected that there will not be a requirement to register and provide information to the ICO. Instead, data controllers will be required to maintain their own internal records of their processing activities (for disclosure on demand to the ICO).
The information disclosure requirements have expanded considerably and in particular individuals need to be informed of the legal basis for processing their data, their rights as data subjects, data retention periods and that they have a right to complain to the ICO if they believe there is a problem with the way their data is being handled. Privacy notices therefore need to be reviewed carefully and amended to reflect the additional requirements of the GDPR.
The DPA already requires organisations to have appropriate security and this expectation remains under the GDPR. Organisations are specifically required to have implemented appropriate technical measures to protect personal data, including pseudonymisation, encryption and privacy by design and default in their data processing activities.
The GDPR also requires a “privacy by design” approach to be adopted. A DPIA must be completed when using new technologies or where systematic, large scale processing is involved that is likely to result in a high risk to the rights and freedoms of individuals. Arrangements therefore need to be established for conducting DPIAs if these are not already in place.
How should Heads of Internal Audit respond?
Heads of Internal Audit are on notice that the GDPR is going to be an important issue for many organisations over the coming year. The December 2016 issue of Audit & Risk included the GDPR as one of the top IT predictions for 2017, noting that “much of 2017 will be taken up with GDPR readiness and testing.” In the knowledge that the penalties under the GDPR will be much higher (for significant breaches can amount to the higher of €20 million or 4% of global annual turnover), legal and IT teams are already working hard to put into place the enhancements to their arrangements required to ensure compliance. This is a subject that is high on the Audit Committee agenda and many HIAs have been asked to include a review of this area within their annual internal audit plans.
Experienced HIAs will be well-placed to provide this assurance. Using gap analysis techniques they can review the existing controls and identify the key areas that the organisation needs to improve to ensure compliance and can be a good source of advice in terms of the practical establishment of new controls and procedures. By applying their process design and operation skills they can develop and implement appropriate testing strategies to validate whether new or remediated procedures have been successfully implemented and mitigate the GDPR risks. Their experience of reviewing the implementation of organisation-wide projects will also enable them to devise a programme of assurance that ensures that Board and Audit Committee is kept aware of progress with the steps being undertaken by the organisation, highlighting any delays and emerging risks that need to be addressed.
If a review is not included in the internal audit plan, HIAs should be working with the Audit Committee to confirm that the Board will provided with the necessary assurance from another source.