General Data Protection Regulation: The final countdown
Organisations today collect a vast amount of data, much of which can be personal information that could identify individuals. This data is an invaluable asset, providing the backbone for market and client insight, product and service offerings, and day to-day operations, particularly as organisations extend their digital proposition and business model.
Over the last few years, companies in every industry and sector around the world have seen their sensitive internal data or personally identifiable information lost, stolen or leaked to the outside world. A wide range of high-profile data loss incidents has cost organisations millions of dollars in direct and indirect costs and has resulted in tremendous damage to brands and reputations. In our digital age, it is clear that data has become one of the most valuable resources.
Accordingly, people are increasingly aware of their privacy rights and have higher expectations of organisations that process their data.
Regulators and privacy commissions globally have attempted to legislate privacy protection and develop privacy standards for organisations to adhere to and adopt. However, with various local privacy laws and regulations in place, many of which are inconsistent in nature or even contradictory, international companies struggled to achieve compliance.
Similar to other legislation, such as the Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standards (CRS), the EU’s General Data Protection Regulation (GDPR) has a global outreach with its influence extending beyond European borders. Many organisations worldwide will now have to take further ownership of their information practices, be accountable for all associated privacy risks across the enterprise in the course of doing business and be able to prove the veracity of their programmes. Organisations that don’t take these steps risk reputational and financial damage that could be devastating.
With an implementation date of May 25, 2018 and with a maximum fine of €20 million (or 4 percent of annual global turnover, whichever is greater), companies are finding that they have a lot more to do than they originally thought.
Does GDPR apply to your business?
There has been a relatively slow response by many non-EU financial services firms in addressing GDPR. Some non-EU-based firms may feel the rule doesn’t apply to them. Others may assume that their European teams have this in hand. Whatever the reason, we observe that more non-EU firms are starting to realise that GDPR may apply to them, as it captures a broader range of activities than many firms initially thought.
GDPR applies to enterprises that:
- Offer goods and/or services that are available to individuals within the EU.
- Have employees, contractors, customers or other people who are residing in the EU.
- Perform monitoring of individuals residing within the EU. For example, consider your centralised functions that conduct surveillance, such as for fraud, anti-money laundering, sanctions or cyber threats. To the extent those functions may use data related to EU residents, your organisation may be subject to the GDPR requirements. Similarly, many firms’ websites continuously monitor traffic and users, and some leverage third-party vendors to perform the monitoring. Those activities, of the firm or the third parties, may subject your organisation to GDPR requirements.
GDPR distinguishes between data controllers and data processors, imposing a different set of obligations and liabilities on both.
A data controller is a body that (alone or jointly with others) determines the purposes and means of the processing of personal data. Personal data, within the confines of GDPR, refers to any information (single record or combination of) relating to an identified or identifiable natural person such as name, employee identification number or location data.
A data processor is a body that processes (collects, organises, stores, discloses) personal data on behalf of the data controller. Examples of data processors include payroll companies, cloud computing service providers and other vendors or subcontracting organisations that may hold or process personal information on behalf of their contracting authorities.
As GDPR enforces penalties on controllers for a lack of proper protection of personal information, processors, regardless of their physical location, are also subject to fines. Therefore, the processors may find themselves in need of independent compliance verifications to confirm to their clients that they maintain appropriate technical and organisational measures, in such a manner that processing will meet the requirements of GDPR.
Key steps to achieving GDPR compliance
To understand how GDPR will impact the organisation and how to effectively build a framework to adhere to its principles, you will need to:
- Identify the high-risk data flows of your employees’ and customers’ personal data.
- Map the end-to-end data life cycle per flow while assessing whether personal data is adequately protected at every point along the flow.
- Identify where data protection gaps and deficiencies exist and define a prioritised programme of remediation that forms part of the overall information governance framework and approach.
Before delving into the various activities, it is vital that an organisation assembles a cross-functional group from within the organisation to lead these efforts, bringing a holistic, enterprise-wide focus. Once the right team is in place the first step of the process is centred around the capture of an inventory of the data flows, which includes an overview of data sources (eg, systems and files), where data is stored, how it is processed, who it is shared with and how long it is retained.
Mapping high-risk, critical data flows and data asset inventory is a crucial step of GDPR compliance. Starting this exercise early while focusing on the critical, high-risk data flows and keeping tight control of the scope of your data flow mapping will help manage the timing and cost of delivery.
Next, a gap assessment is performed that includes identification of areas where policies, procedures and controls at the organisation do not align with GDPR regulatory requirements. Once the gaps are identified, a prioritised remediation programme should be established. A successful programme should include a detailed project plan that pinpoints quick wins and effort to deliver required improvements to an agreed timeline.
It is worth noting that certain GDPR requirements, particularly the ones related to protecting, processing and storing of personal data, can be satisfied by adopting industry recognised information governance frameworks such as COBIT, the US National Institute of Standards and Technology (NIST) publications, the International Organization for Standardization (ISO) standards, and many others. However, there are new requirements that are not covered by existing industry or regulatory frameworks, such as those related to subject rights. While some organisations already have these frameworks in place, they will need to review and update them to ensure they align with the full scope of GDPR.
Addressing GDPR challenges
A number of challenges can affect the GDPR implementation journey.
Discovering personal data
As business models are changing and organisations are moving towards digital platforms, the volume and spread of personal data held and used by organisations have increased significantly. Firms often struggle to understand the breadth of data they hold across the firm, why and where they retain it, how it is being used across hundreds of applications and the full personal data life cycle, from receiving to ultimately destroying the data appropriately.
While structured data can be uncovered through data flow mapping activities such as information discovery, unstructured personal data residing and circulating through emails, memos, etc. is difficult to profile, and may require the use of a specific data discovery software.
Managing data transfer between EU and non-EU organisations
GDPR comes with an extended jurisdiction and applies to all companies processing personal data of EU-based subjects, regardless of an organisation’s location. The regulation stipulates that under no circumstances can the transfer of data to a third country result in a reduction in the level of protection for that data. This principle also applies in onward transfers of personal data from that third country to another or to an international organisation.
Therefore it is important to confirm that personal data transfer arrangements outside the EU member state are documented within one or a combination of the following:
- Standard contractual clauses or binding corporate rules (BCRs)
- Standard data protection clauses
- Approved “European Data Protection Seal” for the controller and the processor.
Demonstrating compliance on an ongoing basis
Getting to a position of GDPR compliance is just the beginning. Compliance is an ongoing responsibility; the inability to execute on GDPR commitments on an ongoing basis will put a firm at the most risk of regulatory penalties and/or customer class-action suits.
For organisations that conduct large-scale systematic monitoring of EU residents’ data or process large amounts of sensitive personal information, the regulation requires an appointment of a data protection officer (DPO). DPOs have significant accountability for adherence to the GDPR requirements, and they must be appropriately qualified in data protection laws and practices independent of management; have access to the necessary resources to monitor GDPR compliance; and be actively included on all relevant data protection discussions and decisions.
However, even if your company does not require a formal assignment of a DPO function as prescribed by the GDPR, it is still important to designate an equivalent role to someone within organisation who not only will inform and advise on privacy-related matters, but also monitor compliance with the regulation and report on compliance and privacy risk to senior management and the board.
Conclusion
GDPR touches on all aspects of an organisation, reaching across people, processes and technology and, as such, establishes a cross-functional team that supports the transformation of the company, which is a critical step for a successful implementation. Even with a tailored, prioritised plan in place, operationalising the new GDPR framework and remediating legacy systems and processes across the organisation is a complex challenge that requires the collaboration of many disciplines.
GDPR will harmonise laws across all EU member states, and while this, in turn, should make the complex data protection landscape easier to navigate for multinational organisations, it will introduce significantly more challenging requirements and notably increased fining ability. It is also safe to assume that the regulation is setting a global standard, as many governments, including Bermuda, have already committed to implement an equivalent, or alternative legal mechanisms, focused on personal data protection.
In enacting the GDPR, the EU gave companies two years to get ready to comply. Now, with limited time remaining, many non-EU financial services firms still have a long way to go to confirm whether the regulation applies to them and, if so, to make the necessary changes to be ready for the implementation. Building an approach that is sustainable beyond 25 May 2018 is even more challenging. The wide-reaching impact on business means data protection and privacy also become a factor in business strategy and should form part of the management agenda. As a result, organisations can use GDPR as a catalyst for change beyond compliance — from enhancing reputation and customer loyalty to digital transformation, meeting stakeholder expectations and delivering the broader change agenda.
Kerr Kennedy is an Advisory executive director, EY Bermuda.
Kateryna Gorbunova is an Advisory senior manager, EY Bermuda.
*EY Bermuda is part of the EY Region of Bahamas, Bermuda, British Virgin Islands and Cayman Islands.
