You’ve reached the end of 2018 having successfully implemented your GDPR programme – but what’s next for 2019?
Opinion Piece by Paul Gillingwater, MBA, CISM, CISSP
Your compliance team in your company just celebrated the end of 2018 with a victory – you completed successfully your GDPR implementation program, and on the way dealt with a couple of fortunately minor data breaches and a dozen or so Subject Access Requests.
Your VP for Compliance just completed her report to the Board of Directors, assuring them that all relevant risks have been managed, and your budget for next year has been approved.
So what is your plan for 2019 – 2020?
PECR & ePR
2018 saw many significant changes to data protection law across Europe, with the entry into force of the GDPR, and the passing of the U.K. Data Protection Act (2018).
The Information Commissioner’s Office has been busy with various high profile investigations, and several significant enforcement actions. The PECR has also been updated, making Directors of companies engaging in unwanted mass emails or phone calls personally liable, with fines up to £500,000.
But some legal changes that were anticipated didn’t happen–for example, the ePrivacy Regulation was delayed indefinitely, as lobbyists and member states negotiated behind the scenes on a workable compromise.
So moving forward, it seems this is the right time to consider some of the challenges and new opportunities that will be faced in the coming two years.
Top-of-mind for many businesses in the U.K. is the potential disruption caused by a hard Brexit. If this occurs as many expect, the U.K. will no longer be part of the E.U. from 29 March 2019, which will invalidate selected legal agreements.
For example, companies in the U.K. that rely on the EU/US Privacy Shield will no longer be able to use it as a valid transfer mechanism, since the U.K. will no longer be covered, and there’s no evidence of efforts to negotiate a separate UK/US Privacy Shield, like Switzerland signed.
27 December 2018: The U.S. Department of Commerce, which is responsible for administering the EU/US Privacy Shield, updated their advice in late December around what will happen to Privacy Shield in the event of Brexit.
Participants in the Privacy Shield program must update their Privacy Shield commitments to comply with the Privacy Shield to specifically include the U.K., separately from the E.U. Model language to achieve this is provided on the DOC web site.
Depending on whether there is a negotiated or so-called “hard” Brexit, there are different dates by which this update must be completed. In a negotiated Brexit, there would be a transition period which runs until 31st December 2020; while a hard Brexit will require these changes by 29 March 2019.
Binding Corporate Rules
Many very large companies have arranged Binding Corporate Rules (BCR) as their legal transfer mechanism for sending data from the E.U. to 3rd countries. There is a measure of uncertainty whether some of these will still be valid, if the lead regulatory authority was the U.K. ICO. Whether these BCRs need to be sponsored by another regulatory authority remains to be seen.
Another area of impact relates to Article 27, which requires countries not based in the E.U. that process certain high risk data of E.U. residents to appoint an E.U. representative.
Now that the U.K. is leaving the E.U., this appears to be a new obligation for such U.K. companies. Determining whether E.U. representation is required, identifying which countries may require this, finding a suitable representative and negotiating a contract with them are tasks that should be completed within the first quarter of 2019.
Supply Chain Audit
Article 28 of GDPR reinforces the ability of Data Controllers to be able to audit the data protection capabilities of their processors and joint controllers.
2019 should be the year to make agreements with your supply chain, with special focus on those who are processing personal data. Those agreements should describe the scope of what will be audited, when it will be done, and how.
So far, supervisory authorities haven’t updated their guidance for data protection audits, so there is some confusion about exactly what needs to be done.
Establishing a regular program of conducting such audits, at least on an annual basis, should be a priority. This means establishing a system of governance, reporting and mitigation in case of adverse findings. One key aspect – will this be done in-house, or will it be outsourced to a specialist, such as Chaucer Group?
Establish a Strategy
Compliance with data protection law can be managed in two ways.
The conservative, traditional approach is to take legal advice, prepare policies and procedures, hire the right people with necessary skills, and meet the minimum standards that will prevent your company from being fined.
But increasingly, businesses are realising that data protection and privacy can be business enablers, which can help to differentiate your business from that of your competition.
Establishing a strategy means deciding how to implement the advantages of strong privacy practices in a way that aligns with the business goals of the organisation. In particular, benchmarking your performance against similar industries, and looking to establish a leadership position in your business sector.
This can be facilitated by working on creating industry-wide or regional data protection Codes of Conduct, through a recognised not-for-profit trade association or other formal body. Taking the lead in such activities can also create name recognition among regulators and customers. Co-operation with academic institutions and independent privacy researchers is another option, although this can introduce additional risks if not carefully managed.
Your strategy should also take into account the changing regulatory landscape, such as the forthcoming ePrivacy Regulation (which may arrive by 2020), and changes at the state and federal level in U.S. privacy laws.
Also helpful are decisions and opinions from the European Data Protection Board (successor to the Article 29 Working Party), and various legal rulings originating from member state courts. Above all, recognise the high value of the personal data your company is processing, and the trust your customers place in you to protect it against abuse or exploitation.
ISMS and DPMS
As your business process maturity develops (perhaps along the line of the Carnegie-Mellon Capability Maturity Model), organisations will see the benefits of formal governance processes.
This has been well-exemplified in the IT security sector, with the creation of Information Security Management Systems (ISMS) following the ISO27001 set of standards.
While at present no similar standard exists for data protection, there is enough best practice published to allow an organization to build a Data Protection Management System (DPMS), with associated metrics, risk assessment, independent review and continuous improvement.
Also analogous to the ISMS concept is that of creating a Privacy Operations Centre (similar in concept to a Security Operations Centre or SOC.)
Such a structure can draw together talented privacy professionals across a larger enterprise into a virtual POC team, which can include a rapid-response unit that focuses on privacy data breaches, working closely with the SOC to assess the risk to the rights and freedoms of individuals of security incidents.
Naturally, a POC needs a POM, which is a Privacy Operations Manual. This will consist of a set of Standard Operating Procedures (SOPs), which are focused on different areas of data protection.
For example, in the Life Sciences sector, a vital SOP will relate to the company’s standards, best practices and exception reporting for pseudonymisation of special categories of personal data, such as the medical reports from clinical trials, pharmacovigilance alerts or adverse reaction reports.
Chaucer has worked extensively with several life sciences businesses to ensure their SOPs relating to personal information and data integrity are fully aligned with GDPR, GCP, GMP, GXP, HIPAA and other relevant standards.
Paul Gillingwater is an Associate Partner at Chaucer Group, responsible for privacy and data protection.