GDPR: WHAT WE HAVE DONE
You’d probably have had to have been on an extended holiday on the moon not to be aware of the GDPR, the EU’s move to strengthen and unify data protection for all individuals within the European Union that comes into force next May.
It is one of the most significant developments in the history of data protection, bringing with it a raft of new requirements for both Data Controllers, and critically, Data Processors. Under the current EU Data Protection Directive, only Controllers are liable for data protection compliance; that is all set to change and with it the fundamental relationship between Controllers and Processors.
Given that, and given all the other headlining stuff – the much tougher controls around consent, broader data subject rights, the need for privacy by design and default, the necessity for strong, auditable information governance, the potential punitive fines – you would think that we, as data processors for hundreds of clients, would have been inundated by client requests wanting to talk GDPR. After all, as law firm Wright Hassall so succinctly puts it:
“…Data Controllers should be carrying out due diligence enquiries of the Data Processor’s ability to comply with the GDPR. The GDPR places an obligation on a Data Controller to only use Data Processors that are able to demonstrate compliance.”
But at the moment, the flow of inbound requests has been much lighter than we anticipated, which suggests that there may be some frantic months ahead for some as they fully embrace what it is required of them.
The good news though is that Redcentric has been working hard to ensure that the Controller/Processor relationship under GDPR is rebuilt on very solid foundations, and that our clients can be assured that they are indeed working with a Data Processor that is fully compliant.
Interestingly, for us as an organisation, compliance hasn't been that onerous. Because of all our work within government and the public sector, we already operate to some of the highest information security and data protections standards there are. When we looked at our current operating procedures and the 12 core principles of the GDPR, the deltas were minimal in most cases. That has allowed us to drive through a very aggressive full compliance project in less than nine months, with completion set for December. Process development and procedural refinement have been the order of the day largely, orchestrated by a dedicated project team, and in some respects it’s just been a different flavour of the various exacting IA projects we’ve had to undertake previously.
The real challenge, and the bit that has taken the time, the energy, and the patience to pull off has been determining exactly what data we are processing on behalf of our clients; and not just what but why too, and for how long. Of course, in many instances, we already know that, it’s been clearly defined in our DP contracts; but in others, particularly amongst co-location clients, we didn't know – and to round off our compliance effort, we needed to find out.
Consequently much of our focus since March has been reaching out to clients and helping them to help us get the information we require. Because of the nascent state of many people’s preparations generally that has required a bit of hand-holding, encouragement and advice along the way. But we’re shortly to be in a position where we can map every client’s data, wherever and however it sits within our domain. From there we can ensure visibility of the duration, nature and purpose of the processing, and maintain a record of all categories of processing activities.
I daresay that our persistence may have rankled with some but client organisations need to understand that managed service providers like ourselves are making these huge efforts for mutual protection. Yes, the GDPR is imposing a high duty of care upon data controllers in selecting their data processing service providers; but those service providers are now facing completely new rules of engagement. For the first time we are being placed under a direct obligation to comply with certain data protection requirements which previously only applied to data controllers. And with the GDPR making data controllers and processors jointly and severally liable, it’s in absolutely everyone’s interest for us to be as persistent, diligent and annoyingly tenacious as possible.
This isn’t a box ticking exercise, it’s a thunderous seismic change in data protection and information governance and security. Much has been made of the potential fines for breach, less on the mitigation available if you can clearly demonstrate that you have made every effort, and taken every precaution. Here at Redcentric we have started as we mean to go on, and that will be everyone’s best defence come May 2018.