Lastest news

46 days until GDPR

Apr 03, 2018
With just 46 days to go until the General Data Protection Regulation (GDPR) comes into force, time is in short supply for organisations to become compliant writes Carol Murphy. 
 
The General Data Protection Regulation (GDPR) won’t be ‘done’ on 25 May 2018. Rather, GDPR is about transparency and accountability; organisations must be able to demonstrate compliance on an ongoing basis by maintaining, improving and implementing data protection procedures and documentation as the organisation’s processing activities evolve. In other words, GDPR compliance is not a tick-box exercise; it requires ongoing focus and commitment to deliver, sustain and demonstrate compliance for any organisation.
 
There have been many reports of a large number of organisations that are still unprepared for GDPR, or are confused about what to do. EY recently hosted an interactive panel discussion with a number of GDPR practitioners and consultants on the practical steps that need to be taken to prepare for compliance. The paragraphs that follow represent a summary of that discussion.

Progressing GDPR compliance

Companies that still haven’t made progress on compliance, or are confused as to what to do, should assess the situation immediately. Each company should conduct a data inventory and data flow map. This will give an understanding of what data is being held and why. It will also help organisations identify data that should no longer be held and, therefore, can be deleted. It is mandatory for data controllers to have a record of all processing activities (see Article 30 of GDPR) and to maintain and update this record on an ongoing basis. Understanding how data is transferred within an organisation is vital for two reasons: first, for internal compliance; and second, to ensure compliance across the organisation’s data supply chain.
 
Once a good understanding is established around what data is being processed by the organisation, this should be followed by a gap analysis to assess the level of compliance with GDPR and identify the remedial steps that must be taken. If a business hasn’t yet started its GDPR preparations, it is unlikely that they will be fully compliant by the deadline of 25 May 2018. It is nevertheless vital that non-complaint organisations can demonstrate that they have made an effort to comply. While this will not make a business immune from being reprimanded, they will likely be in a better position than if they cannot demonstrate that any effort has been made.
 
Over the last few months, as organisations have begun to get to grips with what GDPR will mean for them, the initial concerns around the data security aspects of the regulation have shifted to the consent and transparency elements. Organisations should carry out a review of existing data privacy notices to ensure they comply. Under GDPR, individuals must be made aware of what personal data is collected, why it is collected, what will be done with it, and how long it will be retained. As organisations travel on their GDPR journey, establishing a culture of respect for protection and privacy will be essential to ensure that data policies are understood and acted upon. For example, GDPR requires that any data security breach be reported within 72 hours – awareness and the right culture around this requirement is fundamental.

Conclusion

As the enforcement date draws closer, it is worth noting that the draft Data Protection Bill has yet to be passed and has already been the subject of much controversy and challenge.
 
Regardless of what happens with the Bill, organisations must act now to ensure they are ready to comply with GDPR when it comes into force on 25 May 2018.
 
Carol Murphy is a Director in the Advisory division at EY Ireland.