Ardi Kolah LL.M, Executive Fellow and Programme Co-director at Henley Business will be speaking at the GDPR Conference Europe on 27th April. We spoke with him about how businesses can comply with the accountability principle.
What is a data Protection Impact Assessment Lite?
The Data Protection Impact Assessment (DPAI) is a tool used by data controllers to comply with the accountability principle, which runs all the way through the EU general data protection regulation (GDPR).
A DPIA is a very important tool and process, which has its own article (35) in the GDPR. A DPIA in accordance with the GDPR must be conducted when specific high risks occur to the rights and freedoms of data subjects, in relation to the processing of their personal data. Risk assessment and mitigation of that risk is absolutely critical and is required by the GDPR. It is expected to be done by every organisation whether they are private, public or in the voluntary sector. It is overseen by the supervisory authority in each country. In the UK, the supervisory authority is the Information Commissioners Office (ICO).
What are the first steps for companies to be GDPR ready?
An organisation needs to answer two questions. Firstly, have all their material risks been identified? This includes the risks to the rights and freedoms of interests of their data subjects, their customers, their clients, supporters if they are a voluntary organisation, partners, associates. And also, very importantly, their own employees, because they have their own data protection rights under the GDPR. The second question is, have all appropriate steps being taken to address those risks there are to the processing of personal data and have they mitigated those risks?
You must also comply with the regulator of your particular sector as well as the supervisory authority (ICO). Those two bodies will work very closely. Organisations have also got to consider what you are doing, what the risks are and how you are going to mitigate those risks. Between now and the 25th May 2018 is currently the window for you to do that.
Even with the best will in the world, you won’t be able to comply completely with the GDPR if you are starting from scratch today. But you would be able to identify very high risks or absolute risks in your business which present a risk to your customers and clients and mitigate that in a way which turns it into a residual risk.
How can organisations verify and demonstrate compliance?
In certain cases, organisations, must not only be able to say they are compliant, but they must actually demonstrate it. If the organisation has had a data breach, either they have been hacked by an external party, or maybe there has been a problem internally, such as people not being properly trained, or perhaps they have sent data to places where they shouldn’t have done. You would then have to report that within 72 hours of it happening to the advisory authority.
They would then expect you to create an initial personal data breach report to carry out a full investigation internally, and then to deliver a final personal data breach report. Both reports will be compared to see if you knew what was happening. If there is a vast difference between those two points, then this would signify that you probably didn’t know what was going on and would indicate a higher level of penalty and sanction. They will then look at what you have done forensically in relation to those data subjects that have been impacted by the personal data breach.
If you can demonstrate that you have given the appropriate data privacy notice based on how you were processing a customer’s personal data, then that will be very helpful to ensure that you are not going to be hit with a very significant fine or penalty.
Why should companies conduct risk management?
All organisations are under a duty to ensure that if they are processing anyone’s personal data, and that they comply with the law. All organisation’s in the UK have been subject to the Data Protection Act (DPA) of 1998. The Data Protection Act came from the data protection directive 95/46/EC, which will effectively be repealed on the 25th of May 2018. The government are currently drafting a new DPA in alignment with the GDPR and have said that the UK will adopt GDPR fully and that it will remain even when we leave the European Union.
It is in the interest of the UK and all organisations to have certainty in relation to the transfer of personal data both into the UK and out of the UK, with respect to the 500 million people that are within the European Union, because this has an economic benefit for the UK.
The UK has been very much at the forefront of when the GDPR was first drafted and has a very high standard globally in terms of setting the benchmark and risk management in relation to the processing of personal data and continues to have that globally.
For businesses, this adds a level of trust and confidence and they can continue to be hugely successful and earn the trust and confidence of those who share their personal data with them.
The GDPR Conference Europe will take place on 27th April in London.