IBM led from the front at the GDPR Summit: London, outlining the tech giant’s compliance and data security strategies in preparation for the May 25th deadline.
Addressing a packed-out GDPR Roadmap theatre, European Leader for IBM’s Cloud IaaS, Jonathan Wisler, identified compliance, data protection, and personal data, as the three main challenge areas to business. He went on to highlight how organisations must seize the massive opportunity of the new legislative climate by maximising the value of the data we hold.
Delegates heard how many companies mistakenly see the GDPR as a threat, while 18% of firms in a Forrester-commissioned survey considered themselves well on the way to compliance.
Building on the importance of knowing where your data is, who controls it and how it’s encrypted, Richard Hogg, leader of IBM’s Global GDPR and Governance, established IBM’s five phases to readiness, and outlined practical steps companies need to take:
- Asses: Conduct GDPR risk & privacy assessments across governance, people, processes, data security; develop a GDPR readiness roadmap; identify and map personal data.
Design: Design governance, training, communication and process standards.
- Transform: Develop and embed procedures, processes and tools; deliver GDPR training; develop and embed privacy by design, security by design, detailed data discovery.
- Operate: Execute all relevant business processes; monitor security and privacy; manage consent and data subject access rights.
- Conform: Monitor and asses; report and evaluate adherence to GDPR standards.
Audiences across three theatres benefited from a number of panel discussions throughout the day. That critical 72 hours that organisations have to report a data breach to regulators was a key issue in the HR Briefing theatre.
According to ICO guidelines, a data breach must be reported to the regulator within 72 hours “of becoming aware of the breach”, and that last part was a sticking point.
Emma Burns, Partner and Head of Employment at Hugh James speculated that lawyers might argue for some time on how to interpret what becoming “aware of [a] breach” constitutes, asking precisely who needs to be aware.
Audience questions prompted panel recognition on the obligation to keep checking for data breaches and the possibility of them. Companies themselves need to be on top and leading on this issue, and not sitting back until someone else flags up a problem.
Jim Steven, Head of Data Breach Services at Experian said that “something being awry” doesn’t necessarily mean a breach has taken place, and that that may introduce more time into the reporting procedure.
“One of the best forms of remediation is making sure the leak is closed down. If it’s a hashed password, let the person involved know. Proportionality is key – consider what is a proportionate response to the data loss,” Mr Steven said.
The panel also pointed out how security has to be underpinned by risk assessments according to the data being processed. Technology and procedures combine to manage risk, but questions must continually be raised as to how sensitive the data is, and to what extent will an individual suffer through its loss.
The Data Protection Officer (DPO)
Richard Merrygold, Director of Group Data Protection at Homeserve was among panelists at the GDPR Roadmap theatre for debate on the requirement of a DPO.
An independent within an organisation; the DPO is there to inform and advise on processing activities and associated risk. They monitor GDPR compliance, training and raise awareness, and should be involved in DPIAs. They also liaise with the ICO or other regulatory body and work with consumers to exercise their rights.
But the need for a DPO will depend on whether or not an organisation’s data processing is ‘large-scale’, the audience heard.
Shedding light on the definition, fellow panelist Emma Burns said: “A GP practice with 1,000 patients would need a DPO”. Emma balances DPO duties with the requirements of her standard role at law firm, Hugh James.
“You could have a voluntary DPO role, or it could be a team of key personnel within the business that you delegate responsibility to. A team of people should be in place, whether there’s a DPO or not,” recommended Claire Brooke, Employment Law Partner at Aaron & Partners.
In a later talk, Richard Merrygold, who has ten years’ experience as a DPO in healthcare, reminded us that, far from the preconception of a finger-wagging hindrance to business, DPOs are humans too and actually want to help.
“Let DPOs get involved from the start of a project and they’ll find a way to let you achieve what you want. This means asking lots of questions. And if something goes wrong, don’t pretend it didn’t happen; tell the DPO the second it comes up and we can get a plan in place to solve things.”
“Trust us to do the right thing – we’re skilled and knowledgeable in our roles. Our work engenders trust in our customers.”
“Ultimately, the DPO must balance the rights and freedoms of individuals against the commercial desires and needs of the business,” he added.
Compliance in recruitment
As a sector built upon data, recruitment companies will likely need DPOs. But heavy regulation means operators in the sector will already be familiar with compliance duties and practices; structures will already be in place.
Addressing the HR Briefing theatre, Tania Bowers explained how the GDPR is a chance for CEOs to streamline by questioning whether they really need the data they hold, how secure the data is and whether those processing it have been adequately trained – a fundamental aspect of the GDPR.
The Director at Foxgrovelegal referred to the ICO’s lawful basis interactive tool to establish lawful grounds for processing.
Reboot your thinking
The overarching message of the day was established by Ardi Kolah, LL.M. The Executive Fellow and Director of the GDPR Transition Programme at Henley Business School stressed that the journey to GDPR compliance will be based on a risk-based approach to data protection and security.
Those who do not have a plan should not expect mercy from the regulator, should transgressions materialise.
“It’s about reputation, not regulation. Business continuity, risk, and technology. [The regulator] is looking for behaviour about actions: how can you guarantee that you’re compliant?”
“Don’t focus on fines and sanctions; think about doing more, not less with digital personal data and processing it in accordance with new standards.
“If you decide you don’t need a DPO, record the reasons why…It’s about accountability. If there’s a personal data breach, you’re going to have to justify your actions and illustrate how risk has been mitigated,” he added.
To attend the next GDPR Summit, visit the website for more details.
By Tom Jenkins, Features Editor, GDPR Report