Preparation for Storm GDPR
Terry McAdam, Management Consulting Partner, RSM Ireland, said:
In recent months we have seen a huge focus, within our projects, on the development of updated data processing agreements to govern the relationship between Data Controllers and Data Processors. However, many such documents remain unsigned by the recipient organisation as the expectations of the controller and processor around the terms of the agreements (and the related technical and organisational measures) are not aligned. This impasse is resulting in many controllers and processors reaching the GDPR date with their data responsibilities either remaining undocumented or governed by non-GDPR compliant agreements. Neither scenario is ideal or easily addressed without proper engagement by both parties.
Steven Vermeulen, Certified Information System Auditor, RSM Belgium, said:
There is still a great need for accurate information on GDPR for Belgian businesses. A first wave of advice from a legal perspective passed, and in this respect, we saw a lot of improvements with regards to updated contract clauses. However, clients are urgently looking for consultants to help them in implementing the legal theoretical compliancy into practice. A huge war for talent is raging across Belgium for people that have a sound understanding of GDPR and knowledge on implementing it on the IT side of the business.
As a reference, RSM Belgium uses the ISO27001 framework. This framework around data security is a perfect guideline and offers near-synchronicity with the current GDPR legislation.
Rien Hommes, Head of Risk Advisory Services, RSM Netherlands, said:
The GDPR makes it a requirement that organisations appoint a data protection officer (DPO) if you are a public authority, or if you carry out large scale processing of special categories data or if you carry out large scale systematic monitoring of individuals. We are seeing many organisations struggle with the DPO function, their role, position in the organisation and their tasks.
Furthermore, I have seen many examples of poor software tools that are meant to act as an information asset register, but implementation of these often leads to disappointment. I strongly advise evaluation of these applications before using them. Often, input to the register is not automated or there is no link to the automated processes in the organisation. In many cases, other required documentation cannot be registered, for example, incidents or data leaks that occur, or the archive policy or archive terms.
Businesses often forget to prepare a privacy declaration on their website, as well as an internal guidelines to staff. These documents are not legal documents and should be written in a clear, concise and understandable way. They should also be interrelated.
Sheila Pancholi, Partner, RSM UK, said:
Over the past year we have seen middle market clients struggling to determine how to approach GDPR readiness, however, they’re now concerned as to how they will maintain oversight and governance for GDPR compliance post 25 May. The role of the DPO/DPO ‘designate’, responding to data subject requests and keeping updated records of all processing activities is deemed as resource heavy and many businesses are concerned that they simply won’t have the resources to support these requirements on an ongoing basis.