Corporate Governance and Data Protection - Sunday Business Post Report

Post GDPR, is your data protection regime what you need?

RSM’s Consulting Partner, Terry McAdam, continues to guide organisations through successful data protection compliance post GDPR.

Here, Terry outlines the four core building blocks which underpin GDPR compliance, originally written for the Sunday Business Post.

 

"The most significant change to data protection legislation for over twenty years became enforceable in May 2018 in the shape of the General Data Protection Regulation (GDPR)." Terry McAdam, Consulting Partner at RSM, looks at its impact in the world of Corporate Governance.

 

The GDPR has had an immediate impact which no competent business leader can ignore. How their personal data will be safeguarded is now a key consideration for individuals when they select any service provider ranging from their bank to online travel sites and everything between.

This scenario has forced consumer- and customer-focused businesses, across the EU and further afield, to deliver projects that ensure they can stringently manage the personal data shared by their customers and present themselves as trustworthy custodians of such data.

No business which interacts with consumers is immune from this important shift in client expectations. Many have initiated projects over the last year to ensure they comply with their data protection obligations. Hence, RSM are now seeing increasing demands from clients to re-assess their approach to personal data management so they can maximise GDPR compliance given the practical experiences of the past ten months

Such evaluations focus on whether the business has developed a data compliance regime (policies, procedures and process) which aligns to the prevailing relevant risks in the entity, communicated its approach to its staff, customers and stakeholders, as required, and ensured the initial focus on data protection is embedded and sustained by way of audits of practice and refresher training events for staff.

There are four core building blocks which underpin GDPR compliance.

 

Data protection policies

It is vital that data protection policies are communicated clearly and regularly to           all staff. Compliance must be monitored through an appointed Data Protection Officer, or other personnel who hold compliance responsibility.

The data retention policy is generally regarded as the bedrock of the data protection policy suite given that, in conjunction with an Information Asset Register, it seeks to address topics including the personal data being held by the business, how the entity processes the data on a legal basis, and the retention periods pertaining to the data.

 

Data Subject request management

The recent annual report from the Data Protection Commission (DPC), shows that the majority of the complaints received concern two scenarios – Data Controller responses to Data Subject requests, and the management of personal data in the context of data breaches.

Within the context of any business interacting with the data of individuals, it is crucially important that those charged with managing Data Subject requests are aware of the data they must provide to Data Subjects and where applicable exemptions exist to allow such requests to be rejected or partially complied with.

 

Potential data breach management

Data breaches occur in every business. Simple user errors such as sending an email to an unintended recipient being commonplace whilst cyber-attacks represent an increasing risk to all organisations. It is, therefore, very important that such potential scenarios are managed with great care.

Due to the short timeframe within which an actual data breach must be reported to the DPC – a 72-hour window - it is necessary to have effective internal processes in place to support the assessment and reporting of potential breaches.

 

Documents which govern data processing or sharing

Normally, the sharing of personal data between a business and its clients or customers will be governed by some form of contract or privacy statement. These documents include content setting out the obligations of the business with respect to the data concerned and whether it will be acting as a Data Controller or Data Processor within the specific business relationship.

Typically, such passing of personal data between organisations is also governed by either Data Sharing or Data Processing Agreements. The latter usually overseeing scenarios where data is being shared with a contracted provider (such as your IT support company) to allow the delivery of services to the business. Data Sharing Agreements, whilst similar in nature, relate to the sharing of data with a party which will act as a Data Controller in parallel with the business, for instance, a legal firm or a professional expert.

In the post-GDPR era, the process of agreeing the content of such documents can require considerable resilience as both customers and suppliers can be cautious about signing up to agreements which can include complex data protection terms and potentially onerous financial liabilities.

 

 

As published in The Sunday Business Post- 17th March 2019