6 Reasons why you should not trust your CIO with GDPR

You have no doubt heard about the General Data Protection Regulations effective from May 2018. People probably have not mentioned the uncapped legal fines a breach might bring, but you will have heard about the admin fines of up to €20m or 4% of global turnover, and let’s face it they should be reason enough to stand up and take notice. So, I wonder why when I am speaking to businesses it seems only to be the IT industry which is engaging on the issue?  When I spoke to an M.D. who runs a growing research company about GDPR last week his response was “it's OK, I am sure my CIO is all over it”, and I wonder how many other senior executives have the same perception.

Now, I don't think it is hard to imagine an IT system as a great big filing cabinet, so humour me for a minute whilst I extend this analogy. If it were and the business process was such that it collected papers illegally and stored them in the cabinet, would it be the filing cabinet at fault? If the process was to take a paper from the cabinet and write to people who didn’t want to be written to, would that be OK? Of course not, but it is exactly these type of issue that GDPR is addressing.

As a certified GDPR practitioner I have studied the regulation and as a business consultant, I have pondered its practical impact on businesses operations. Here are some good reasons why business owners and execs should take accountability and not (entirely) trust their CIO with GDPR.

Reason 1 - Information held and used

Under GDPR any personal data held should be documented and understood, only the minimal amount of data should be collected to undertake the legitimate purposes of the business. Therefore, the business needs to understand the data it collects, why it is they need it, where they collected it from and whom they share it with.   A data protection impact assessment (DPIA) can help to address this gap and IT can help, but it is the business which needs to own this assessment as it is they who use the data.

Reason 2 – Lawful basis for processing

An organisation needs to be able to evidence the lawful basis for its processing activity under GDPR. There are a number of legitimate reasons to process data including to fulfil the contract or to comply with legal obligations and even consent (which will be discussed later). It is the business and not IT that needs to determine what information it includes in its privacy statement based upon these reasons.

Reason 3 – Individual’s rights

A revised set of individuals rights now exist including ‘the right to erasure’ and ‘the right to rectification’ and these now extend to organisations which data has been shared with. Whilst it is true that the physical destruction of data under this new right will probably fall to an IT process, the business must have decision-making procedures in place to ensure that no exceptions exist as to why data should not be erased. Therefore, business process must be reviewed and amended to comply with this and other rights which data subjects now have and IT should be acting on instructions of the business.

Reason 4 – Subject access requests

Organisations must be able to respond to data access requests within new timescales and these must now be provided ‘free of charge’. The IT department will need to be able to react quickly to meet these timescales, but the business procedures will need to be very responsive and updated to ensure that specific disclosures are made to data subjects.

Reason 5 – Managing valid consent

Consent… what should we say about consent? It is probably one of the biggest impacts on the business.  Now that consent must be explicit and evidenced by ‘an affirmative action’ it is entirely possible historically collected data will no longer be valid, without it marketing won’t be able to profile or target new products or services. The business should review now, how to seek, record and manage consent and get ready for the new law, giving the business the best hope of retaining their historic data.

Reason 6 – Data Protection Officers

Each business will need to determine if they are required by law to designate a data protection officer (DPO). If not, they should still have a responsible person to manage subject access requests, data breaches and impact assessments.

I don’t want to give the impression that the CIO and the IT team should stop responding to the threat of GDPR because I would suggest that the most significant risk to receiving a major fine comes from the threat of large scale data breaches. It is therefore obvious that mitigating the risk of a breach is a very effective way of responding to the new law and IT departments should continually assess their vulnerabilities. So in fact, what really needs to happen is that the business should start to understand their own vulnerabilities and mitigating their own risks.

Data protection by design

In future data protection needs to be designed into business process and IT systems and whilst the CIO will continue to protect IT assets, the business must now make sure that they are considering the impacts of change on any new process, procedure or product which impacts data. One such business process which will need to be in place before May next year is how to manage data breaches and it’s clear that a close working relationship between IT, business operations and the DPO will need to exist.

Back to the filing cabinet

So, going back to our filing cabinet analogy and imagining we are part of a solid well run business, we now collect our papers legitimately, we have a system in place to shred the papers when we no longer need them, we know where the papers are and can tell our customers what we have and we can respond to questions or objections when they raise them. In the mean time, we as a business insist that the filing cabinet is kept locked to keep unauthorised people out of it and we might even upgrade it to a fire proof cabinet to protect it from other risks.  But there is no getting away from it, the responsibility for the whole life of those papers is not entirely the role of the filing cabinet.

If you are concerned that you don’t know enough about the potential impacts of GDPR on your business or you are concerned that the business is not doing enough, then give me a call on 07742 200020 and we can discuss your concerns. 

Mark S Roebuck