The world turned on its axis, the sun set and the moon rose…25 May 2018 was just another day. It was also the day GDPR went live – a day preceded by panic, anxiety, long hours, endless meetings, huge spreadsheets and confusion!
We are now living in the reality not the hype.
The reality is that GDPR is just one of many compliance issues for the organisation – is it more important than treating customers fairly, health and safety, food hygiene or IFRS9?
Yes, the stakes are high; a maximum fine of €20m or 4% of turnover but there are also major ramifications of the Financial Conduct Authority (FCA) invoking enhanced supervision/special measures, a corporate manslaughter case or an accounting scandal.
Not everyone has to panic. GDPR is essentially an enhancement of the Data Protection Act. The big change relates to personally identifiable data; particularly in high volume.
Internal audit can help their organisation apply objectivity and proportionality to their endeavours. Prioritising resource is a constant juggling act. With all the focus on GDPR what about other projects, core operations, strategic goals? Is a quick health check needed? Are all the balls still in the air or has one been dropped?
And what if the GDPR deadline came too soon; internal audit needs to be part of the solution; when someone falls over you offer a hand not a boot.
Be proactive. Maybe a word with a director can get a flagging project over the line or seconding an auditor to facilitate a workshop to identify and prioritise GDPR risk exposures, document the data flows and/or make necessary changes to policy and processes.
Does the organisation have a designated role as a data controller, processer or both? Controller/processors must document all instances of processing; what is processed, how it is carried out, its lawfulness and whether there is interaction with third-parties. Controllers should request this information of their processors.
Who has accountability for access requests? If an individual makes an access request today what is the process for managing it within the defined timescale. Regardless of the size of the organisation this should be clearly defined. Whether an individual or a team - do they have the data flows to support them to do this or will every request be dealt with ad-hoc?
Has the data breach response plan been updated? GDPR requires data breaches that put personal data at risk to be reported to the Information Commissioners Office (ICO) within 72hrs.
Has the organisation appointed a Data Protection Officer? A DPO is mandatory for public authorities, large organisations and those of any size where large scale data processing and monitoring are done.
The ICO has a useful guide for what organisations need to do to comply.