The General Data Protection Regulation (GDPR) came into effect on the 25th of May 2018. From a legal perspective, this piece of legislation is a fairly new development. By result, many organisations remain oblivious to their new obligations which increases the likelihood of infringement and data breaches. This, accompanied with the past scrutiny faced by the Data Protection Commission (DPC) of Ireland, regarding their perceived hesitance to issue fines against big tech companies, has resulted in a subconscious relaxed attitude towards the GDPR. However, since late 2020 and the DPC’s national cookie sweep, the tide has begun to turn.
With a more proactive approach to enforcement by the DPC, organisations should now be looking to review and reignite their privacy culture. For more in-depth information you can register for our upcoming webinar on Data Privacy Training: Embedding a Culture of Data Privacy within your organisation.
How Can An Organisation Reignite their Privacy Culture?
The GDPR itself, particularly via those articles covering the responsibilities of data controllers, processors and DPOs, provides a roadmap for those organisations seeking to re-invigorate their data protection regime. Below, we will cover some of the core items for prioritisation when seeking to embed/re-embed a lively privacy culture across your organisation’s respective business units.
- The Importance of Staff Training.
Employees are one of a company’s most valuable assets. Employees of a business perform the day-to-day tasks, build relationships with customers and suppliers, and represent the brand image of the company through how they conduct their activities. Therefore, ensuring that staff are adequately trained should be the focal point of any organisation who wishes to build and maintain a positive brand image. Organisations often limit their privacy and data protection training to a module in the induction training of new employees and the topic is often left unvisited after this. Organisations should never underestimate the impact that routine refresher training can have on the organisation as this may help with re-enforcing basic data protection practices. Realistically speaking, it is only when staff become better acquainted with their respective role that they are in a position to apply their data protection training in a practical and effective manner. By revisiting data protection on a consistent basis, staff are better primed to implement their learnings throughout their day-to-day and are more likely to revert back to management with nuanced queries, raise items of concern and further feed into the wider privacy programme.
- Ensure Detailed Records are Kept.
One of the most prevailing issues in the data driven economy is that organisations collect a wide variety of data to provide their services. It is vital that organisations are aware of this and respond accordingly. One of the principles for the lawful processing of data is storage limitation. This is provided for under Article 5 (e) of the GDPR. This prohibits a data controller or processor from possessing personal data for any longer than required by the organisation unless required by law. To assist with this, organisations should create retention schedules to ensure that only pertinent personal data remains within their domain. Increasing awareness of what data is being held reduces the likelihood of the organisation infringing on the rights and freedoms of the data subject. Moreover, organisations should create and maintain a record of processing activities (ROPA). The requirement for an organisation to maintain a ROPA is outlined under Article 30 of the GDPR. Article 30(5) of the GDPR states that an organisation employing fewer than 250 employees is not obligated to maintain a ROPA unless the processing activities is likely to result in a risk to the rights and freedoms of the data subject. However, it is advisable for all organisations to maintain a ROPA as it allows for increased accountability and provides an extensive overview of processing activities and a demonstration of the organisations GDPR compliance. By assigning the RoPA as a deliverable to your organisation’s respective business units, you assist in embedding a culture of data protection as it imposes an obligation to understand what personal data is being processed, for what purpose, how it is justified and what the eventual lifecycle of the data genuinely is or should be. For many staff, data protection is merely a concept, an issue for compliance or legal to deal with, but the RoPA highlights the practical, day-to-day scenarios in which it truly applies.
- Appoint a Data Protection Officer (DPO).
One of the most viable ways of reigniting a privacy culture into an organisation is to appoint a privacy/data protection lead or DPO and assign a number of ‘data champions’. A data champion is a staff member nominated by the organisation to promote data protection and privacy awareness and help mitigate identified risks. A DPO on the other hand is an individual who possess expert knowledge in the area of data protection and is appointed by an organisation that assists in ensuring the organisation can demonstrate their GDPR compliance. A DPO may be appointed externally or internally. The internal appointee must remain impartial and have no conflicts of interest with respect to a dual role. While Article 37 of the GDPR highlights that a formal DPO is only mandatory in certain instances, voluntary appointment brings with it a slew of operational benefits. The role itself is outlined under Article 39 of the GDPR and includes the following:
- Informing and advising the controller and their employees of their GDPR obligations.
- To monitor compliance with the regulation, with other Union Member State data protection provisions, and with the policies of the controller or processor in relation to the protection of personal data, including assignment of responsibilities and staff awareness and training.
- Assist in the conducting of data protection impact assessments and monitor its performance.
- Cooperates with the supervisory authority.
- Act as a point of contact for the supervisory authority on issues relating to processing.
Appointing a DPO enables the organisation to receive expert knowledge in the area of data protection, It furthers allows them to adapt their processing activities and ensures that they fulfil their GDPR obligations. This reduces the likelihood of the organisation being subjected to data breaches and also prompts a vibrant data protection culture within the organisation.
- Conduct Assessments Regularly.
The best way of revitalising a privacy and data protection culture in organisations, is to be proactive. This involves organisations actively ensuring that they are complying with the GDPR in all their activities. There are a variety of assessments that organisations may consider when determining their GDPR compliance. Although organisations may conduct these assessments themselves, many opt to turn to third party consultants to ensure that all areas are considered.
One of the ways that organisations can ensure this is through the conducting of a Data Protection Gap Analysis (DPGA). A DPGA allows an organisation to determine their level of compliance through a comprehensive analysis of the 7 Data Management Principles outlined in Article 5 of the GDPR.
- Fair, Transparent & Lawful Processing
- Purpose Limitation
- Minimisation of Processing
- Data Accuracy & Quality
- Retention/Storage Limitation
- Security & Confidentiality
- Accountability & Liability
Following the assessment, areas of concern can be highlighted to the organisation for mitigation. While the primary benefit in this regard is the shoring up of gaps, the output of such assessments also generates an increased level of awareness across the organisation’s respective business functions. This increased awareness and direct application of the legislation further promotes a culture of data protection across the organisation.
Additionally, given the ever-changing and evolving nature of modern business, an organisation may be required to conduct a Data Protection Impact Assessment (DPIA). A DPIA is required when the envisaged processing will use new technologies and/or is likely to result in a high risk to the rights and freedoms of the data subject. This is provided for under Article 35 of the GDPR. This assessment must be conducted prior to the processing and should contain information such as:
- A description of the processing operations, the purpose for processing and the legitimate interest pursued by the controller, if applicable.
- An assessment of the necessity of the processing activities to achieve the purposes of processing.
- An identification and description of the risks and freedoms of the data subject.
- A description of the technical and organisational security measures implemented to address these risks to ensure compliance with the regulation.
Aside from ensuring compliance with Art.35, it is vital that organisations introduce consideration for these assessments as part of their default business case consideration as they provide a consistent opportunity for project teams to understand and adjust for data protection implications.
- Communicate with Third Parties.
In todays business landscape, personal data is one of the most valuable assets an organisation can possess. Therefore, it is extremely common that organisations now share and transfer personal data to third parties to assist them in their processing activities. Transferring personal data exposes the personal data to a new set of threats as the data protection policies or training existing in one organisation does not directly transfer over to the 3rd party organisation. This can increase the likelihood of data breaches, as well as significantly harm the brand image and public opinion of the organisation who initially collected the personal data. When sharing data with a third-party, organisation should prepare a data processing agreement (DPA). A DPA is provided for under Article 28 of the GDPR and is a contract that sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of data subjects involved and the obligations and rights of the controllers. Article 28(3) sets out the obligations of a DPA. These require that the processor:
- Processes the personal data only on the instructions of the controller, unless required to do so by Union law.
- Has ensured that they have committed themselves to confidentiality.
- Takes all measures required by Article 32 of the GDPR.
- Abides by the obligations relating to sub-processors outlined in Article 28(2) and 28 (4)
- Assist the controller in implementing appropriate technical and organisational measures for the fulfilment of the controllers obligation to responds to subject access requests.
- Assists the controller in ensuring compliance with the obligations under Article 32-36 of the GDPR.
- At the request of the controller, deletes or returns all personal data to the controller after the end of the service.
- Makes available all information necessary to demonstrate compliance with the obligations under Article 28 and allow for and contribute to audits.
Having an operational Data Processing Agreement (DPA) and due-diligence process when dealing with third parties is one of the best ways an organisation can demonstrate their compliance in this area. One of the main reasons that this practice should exist in every organisation’s culture is that this reduces the risk of a third party acting negligently at the expense of the controller. Additionally, by embedding this process as a default deliverable within the procurement process, organisations further embed and highlight their proactive and diligent stance with regard to data protection. When a business unit seeks to onboard a new service provider, it will become habit to assess where the provider is located, the level of detail provided in their public facing documentation and the general likelihood that the service provider will be a good fit for the organisation.
In the last few years, due to an increasing level of dependency on technology, data breaches and hacks have become increasingly more common. In 2018, it was revealed that after the Cambridge Analytica Scandal 2.7 million European Facebook Users data had been shared. In 2020, Snapchat were targeted by a hacker group to demonstrate faults and weakness in their security features. In 2021, WhatsApp has been fined 225 million based on a lack of transparency in their privacy policies. With that said, it is no understatement that the area of data protection and privacy has had a turbulent couple of years. The increasing volume of fines being issued has resulted in a greater distrust from data subjects regarding how safe their data will be when being processed by certain organisations. By result, the necessity for organisations to re-ignite a culture of data protection and privacy within their organisation has never been greater.