The new General Data Protection Regulation will enter into force in May 2018. That makes now the last time for public sector organisations, private sector companies and NGOs to start to evaluate whether and what changes they need to make in their personal data management systems – in other words, to carry out a compliance assessment. An important part of any activities is asking people for consent for processing their personal data, or updating the consent if the consent elicited in the past does not meet the requirements of the new regulation. Here it should be remembered that the new regulation will apply to all personal data the organisation has collected – even from before May 2018.
It should be considered that depending on the size of the organisation, the process of gaining clarity on what, if anything, needs to be changed, can take up to four to six months on average. Nor should it be forgotten that a risk assessment and data protection impact assessment should be carried out.
We advise every organisation to think about the responses to the following questions:
- What type of data do you collect? (Are they all compulsory under the new regulation or not?) If you collect other data (besides the ones set forth in legislation, such as for the purpose of advertising and marketing), are customers asked separately for consent for these and is there a verification trail for the consent?
- How do you retain personal data? (Are data systematised, can the person’s consent be viewed in the information system?)
- How long do you retain the data for?
- Do you ask customers to update their data? If you do, in what way and how often?
- Do you share data with third parties or foreign countries?
- Is the whole process, including data collection, retention, sharing with third parties etc. also described in the internal procedures?
- Are training courses related to personal data carried out among employees?
Services related to implementation of the General Data Protection Regulation
Grant Thornton has set up a three-tiered service plan to assist customers in a convenient and simple transition to the new regulation.
It is clear that organisations will have to evaluate whether, based on their everyday activity, they will need to make changes to either internal processes or IT systems. The first and most important step in evaluation is to carry out a self-evaluation within the organisation. To make the self-assessment as simple and streamlined as possible and to let customers know which requirements their internal activities need evaluation in relation to, we have developed a self-evaluation questionnaire for evaluating readiness for the changeover to the General Data Protection Regulation. Every organisation can use this questionnaire independently.
If the self-evaluation shows that not all processes and activities are in harmony with the regulation’s requirements, it would be appropriate to carry out a more detailed evaluation to see which personal data are collected, where they are kept, how their secure management is guaranteed, including how responsibility is defined within the organisation etc. The easiest way to do this is to conduct a compliance audit.Often the audit also means the need to map the personal data handling points, as organisations frequently don’t know where and what types of personal data reside in their systems. There’s no reason to worry that this audit will be particularly costly. As the evaluation is standardised, the audit can be conducted rapidly and efficiently and thus, it will be cost-effective for the customer. We should point out that the audit is not limited to evaluating processes: in the interests of giving customers maximum added value, our compliance audit also encompasses an assessment of the conformity of IT systems to the regulation’s data processing requirements. If the audit finds that the organisation needs to introduce developments in its information system to ensure compliance with the regulation’s requirements and to ensure secure handling of data, we will prepare an IT system development term sheet for your information system developer. As preparing such term sheet for IT system development is time-consuming, having previously carried out the compliance audit gives us the knowledge of what must be modified in the organisation’s information system’s structure or functionality and how it should be done, as a result of which preparing the terms of reference is a simple and logical step.
The new regulation also mentions preparation of a data protection impact assessment. As all organisations are different, the impact assessment must be customised to each organisation – based on what personal data are gathered and processed, for what purpose and how, and what are the functionalities of the IT systems, among other considerations. An impact assessment must be drawn up by all data processors where the rights and liberties of individuals will likely be subject to high risk, considering the type, scope, context and purposes of processing personal data. This group includes, e.g. tracking cookies, IP addresses and access to premises, financial sector services (investment, insurance etc.), processing of health data, users’ data processing in online stores, processing data on customer card purchases in retail enterprises, data processing where personal data sets originating from different sources are compared (Big Data processing) and more.