Clients used our GDPR Risk and Readiness Assessment to obtain:
- a high-level risk profile of their organisation
- a GDPR Readiness Assessment measuring 12 key principles and 31 sub-principles
- a comparative assessment against their peers
- an Action Plan and Recommendations
Since then, we have assisted organisations in the delivery of their plans, with ongoing professional support services and with periodical progress reviews.
Based on this work, we have collated an insightful Overview of Data Protection in UK organisations, this information is summarised below – anonymously of course – by industry sector.
As our clients have been working though their plans, we have provided a structured GDPR Review programme to help them understand their current performance, compliance and risk mitigation.
Overview of Data Protection
We conducted over 40 GDPR Risk & Readiness Assessments.
Here are the aggregated ratings for clients across eight business sectors:
The Construction and Food sectors had most to contend with, while Insurance businesses were somewhat more prepared.
All organisations encountered significant challenges, with most facing compliance issues with Data Protection Impact Assessments (DPIA) and Personal Data Breach, including detection, investigation and reporting procedures.
GDPR Review
The goal is to understand how your data protection policies and procedures are bedding in.
It provides a comprehensive benchmark of progress since your initial assessment, in particular:
- the extent to which you have taken forward the activities identified at the transition stage
- how well your activities have moved to “business as usual” and are consistent with a compliant assessment
Key objectives of the review are to:
- Revisit the initial review to identify recommended actions;
- Assess progress against the recommended actions and determine an appropriate rating/score;
- Identify any shortfalls and areas of concern;
- Draw your attention to any relevant implementation issues/problems identified elsewhere (in particular, at comparable organisations) and suggest mitigating strategies;
- If feasible, assess your progress against comparator bodies/clients of Oyster IMS
- Make recommendations for further improvements as appropriate (including an indication of significance/priority);
- Prepare a succinct/clear report of findings and report back to your key stakeholders.
GDPR - Frequently Asked Questions
What is a ROPA?
ROPA stands for Record of Processing Activities.
The ROPA must include a comprehensive overview of the processing activities you undertake. The ROPA lists every single processing activity, describing the exact usage of the data, the technical and organisational measures that have been put in place for the protection of the data. It shows who is affected by data processing, the recipient of data processed, and any other data processors. The ROPA should also include a risk analysis.
A ROPA demonstrates your organisation’s GDPR compliance and so it is essential that it is well-managed and organised.
How do I find out how compliant I am? What do I need to do next?
The first step is to recognise that something needs to be done, this shouldn’t be ignored and should be done as soon as possible.
The next step is to assess your current situation to establish how compliant you are and what to do next – “Where are we now? “And where do we need to be?”
Once you know where you need to be, you can make a considered decision and include GDPR compliance requirements into your overall risk and compliance framework.
Your approach to auditing should provide a measure of two key factors: Risk and Readiness.
The steps towards compliance depend on your circumstances, so there is no fixed template which will suit all organisations. Variations in size, activity and operations mean that each organisation will have a unique risk profile that can vary considerably.
Understand YOUR risk and get an expert view of YOUR readiness for the GDPR – >> Book your Risk and Readiness Review
What are the big risk areas?
This is one of the hardest areas to address, the areas and size of risk will vary for every organisation – this really needs to be evaluated by a proper Risk Assessment.
One thing to bear in mind is that the risk should be evaluated from the point of view of the individual and should be judged according to the size or scale of the risk to the individual.
The GDPR describes the risk areas but there is an element of judgement for each organisation. It is not as simple as measuring how many individuals’ data you process, but rather the type of data and extent of processing – all factors which affect the level of risk.
For example, if you are responsible for a small amount of personal data which could, if not properly managed, present a very serious potential impact on the individual, then the risk must be judged as high, and you must take appropriate steps to mitigate risks and safeguard the personal data.
What is personal data?
Article 4 of the GDPR uses quite a broad definition of personal data as:
“… any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”
In effect, personal data is anything about an individual. This includes personal data collected as part of internal business processes e.g. HR records, contracts and payroll, as well as records of customers, members, prospects and subscribers.
It should be noted that from a Sales and Marketing perspective, personal data exists in both Business to Consumer activities (B2C) as well as Business to Business (B2B).
What personal data do you hold?
What is a Personal data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
A personal data breach is a security incident that has affected the confidentiality, integrity or availability of personal data. A breach occurs if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach.
What is a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project.
You must do a DPIA for processing that is likely to result in a high risk to individuals.
It is also good practice to do a DPIA for any major project which requires the processing of personal data.
Your DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
What are the benefits of being compliant with the GDPR?
As the protection of privacy becomes ever more of an issue for individuals, having a good reputation in this respect will become a differentiator and will allow customers to make a more informed choice based on trust.
– The processes for ensuring compliance should also support good information governance, while generating procedural and operational efficiencies, including storage and costs savings.
– Concepts such as Privacy by Design can help to ensure that operational processes are planned and developed in a way that helps to avoid later disruption, manage reputation, and drive the quality of products and services.
– New GDPR requirements such as pseudonymisation and encryption of personal data will help to support big data analytics, by ensuring that large volumes of data provided for analysis are delivered in a way which supports the privacy of the individual, and helps to release the value of that information.
What is a DPO?
DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
What does a Data Protection Officer do and who can be a DPO?
Organisations must appoint a DPO if they are a public body, or process sensitive data on a large scale or complete regular and systematic monitoring of data subjects. Deciding what is meant by large scale is open to interpretation but organisations would be advised to err on the side of caution. Earlier thoughts during the development of the GDPR about the need for a DPO indicated larger organisations would need one. If you meet that threshold and decide not to have a DPO, you will need compelling reasons.
Larger organisations – those with over 250 staff – have additional responsibilities including the requirement to document all processes involving the handling of personal data.
A DPO doesn’t need to be a specified member of staff, as a third party can be used. In Germany, this practice has been in use for some time, with specialist agencies offering DPO services.
It’s essential that the DPO has a level of independence and authority with regard to the organisation.
It’s also very important to establish that a DPO has the appropriate skill levels, training and ability to access the information they require.
It is therefore critical that the DPO has the ability to both understand the law and how it should be applied within the organisation, This expertise must be applied to an understanding of the ways that the organisation acquires and processes information, as well as the security and protection measures employed.
It’s quite likely that many individuals who currently have the role of data protection representative, may not be suited to the new DPO role.
Will you need a DPO?
Can we contract out the role of the DPO?
You can contract out the role of DPO externally, based on a service contract with an individual or an organisation. It’s important to be aware that an externally-appointed DPO should have the same position, tasks and duties as an internally-appointed one.
More information on our DPO Managed Service
My business is registered for Data Protection already – what has changed?
The initial change is that you no longer have to register. If you capture, keep or process any personal data of data subjects who are in the European Union then you are subject to the GDPR.
There are a number of major new requirements in the GDPR, (see below), but for those companies which have good procedures to comply with the current DPA, the transition to the GDPR should be easier to manage.
The regulator has lots of new rights, including very hefty financial penalties and the right to stop or restrict you from processing any personal data. For example, the regulator can audit your personal data processes, which must be documented, requiring you to produce all those procedural records.
Does it apply to everyone; how can I find out if it applies to me?
The GDPR applies to every organisation that uses personal data to provide goods or services to anyone residing in an EU country. This rule applies irrespective of the location of the organisation itself, so UK businesses are directly affected. There are some rare exceptions in regard to law enforcement agencies.
It covers any organisation which offer goods or services, which includes both paid for and free services; or any organisation who monitor the behaviour of data subjects within the EU.
In short, if you provide any services to residents or citizens of the EU, the GDPR applies to you.
What are the new requirements?
Breach notification – An important requirement that companies must notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects may also have to be notified, but only if the breached data poses a “high risk to their rights and freedoms”
Fines – The higher fines are generally applied if the rights of individuals have been breached, if there are issues around international transfer and where there is non-compliance with the regulator. The second tier of fines, which are still significant, refer to more procedural and operational failures.
The Right to Erasure and To Be Forgotten –The GDPR includes rights for personal data published on the web. This relates to the right to stay out of the public view and “be forgotten”.
Extraterritoriality – This new principle says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects, e.g. through a website, then all the requirements of the GDPR will apply. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses.
Privacy by Design (PbD) – The new law makes explicit the principles of minimising data collection, retention and gaining consent from consumers when processing data.
Data Protection Impact Assessments (DPIA) – When certain data associated with subjects is to be processed, companies must first analyse the risks to their privacy.
The new requirements will mean changes for all organisations
Why has this new law been brought in?
The General Data Protection Regulation (GDPR) is a regulation which intends to strengthen and unify data protection for individuals within the European Union (EU).
The GDPR covers personal data. (Sometimes referred to as personally identifiable information – PII). This includes names, addresses, phone numbers, account numbers, email and IP addresses.
The goal of the GDPR is to give control and power over personal data back to users. It’s your personal data but in many cases you’re not really in control of it. The new law is a significant development for personal privacy which aims to return the balance back in favour of the individual.
The GDPR takes into account the many advances in new technology and media.
When the existing Data Protection Act (DPA) was introduced, in 1998, the internet was very new. People didn’t understand the full implications of what it would lead to. Additional developments such as social media and cloud computing have drastically altered the information landscape. It is clear that far more information is now being held, processed and transferred. Our personal data now contains many more types of information and it is used in more ways than ever before.
The GDPR adds new requirements for documenting procedures, performing risk assessments, notifying the consumer or user and authorities when there is a breach, as well as strengthening rules for data minimisation.
In summary, the GDPR legislates a lot of common sense data security and privacy ideas: minimise collection of personal data, delete personal data that’s no longer necessary, restrict access and secure data through its entire lifecycle.
Will the law change the way in which I can contact my customers?
Where you have existing customers, i.e. persons to whom you have provided a product or service – even if provided free of charge – you are permitted to stay in contact with them, provided that you:
a) can provide evidence that they are your customers, and
b) you offer them at all times the opportunity and ability to decline future contact with your organisation.
You may hold other personal data, for which you rely on the consent of the data subject, e.g. lists of leads, prospects, website contacts or blog subscribers. In these cases, it is essential that:
– their consent was freely and knowingly given, and that you can prove this,
– that you use their information only for purposes consistent with the consent that was given,
– that the data subjects have the opportunity to withdraw their consent.
This area is complex, and the exact way in which the regulations should be applied will be dependent on the ways in which any existing personal data – and consent – was acquired. Furthermore, it is essential to plan and implement compliant processes and systems that follow a Privacy by Design framework to ensure that all personal data held or processed in the future is secure. Above all, it’s essential that you document all your processes concerning the handling of personal data, and that these are designed with the individual’s privacy rights as the main consideration.
Do we just need some new policies?
Compliance with the GDPR means properly designing and documenting compliant systems, procedures and processes which ensure the protection of personal data. This starts with executive ownership of the responsibility for personal data and will also entail training, good record keeping and the review of working practices.
The law has new requirements regarding the use of consent and how it should be obtained. To ensure individuals are being treated fairly, consent must be freely given and individuals fully informed. It is not acceptable to rely on silence or inactivity as consent.
It is definitely not enough to publish a policy which describes the intent to comply with GDPR.
Compliant procedures, systems and training are essential to GDPR.
What is Privacy by Design?
Privacy by design is an approach to projects that promotes Privacy and Data Protection compliance from the start.
Privacy and Data Protection obligations must not be an afterthought. They should be key considerations from the beginning of any project and then throughout its lifecycle.
Consideration should be given when building a new IT system which will store personal data, developing policies and using data for new purposes.
The GDPR requires organisations to implement technical and organisational measures to show that they have considered and integrated data protection measures into their data processing activities.
