Guest cybersecurity comment by Tim Hyman* of 2Twenty4 Consulting
The General Data Protection Regulations are the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years. There is a much greater emphasis on accountability and the principle aim is to move control back to the end user or data subject. To reinforce this there are many new auditable obligations and whilst the maximum penalty of 4% of global revenue grabs the headlines there are a number of other significant changes.
One of these relates to the lesser known penalty of 2% of global revenue for administrational non-compliance. New powers of audit mean that a data breach is not required before penalties kick in, lack of the appropriate documentation and/or protective processes are enough to warrant penalty. The person responsible for overseeing and maintain the new compliance requirements is the DPO or Data Protection Officer.
Not all businesses will be obliged to appoint one but even those that do not will still need someone to monitor compliance and take responsibility for data processing records and liaising with the authorities and data subjects.
GDPR states that a firm will require the appointment of a DPO in the following circumstances:
Data controllers (law firms) and processors (cloud service providers) shall designate a data protection officer in any case where:
• the processing is carried out by a public authority or body
• the core activities of the controller or the processor consist of processing operations which, by virtue of their nature require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9
For law firms, it is the latter of these categories that will almost certainly apply. Having someone responsible for Data Protection is nothing new and it should be a straight forward conversion from the existing COLP or Head of Compliance to the new formal DPO role.
The duties of the DPO are unsurprising but with the additional requirement to deliver internal user awareness which when aligned with existing Information Security education will be a welcome addition to other compulsory learning participation such as anti-money laundering. DPO duties include:
• to inform and advise the law firm of their obligations pursuant to this Regulation;
• to monitor compliance with GDPR,
• awareness-raising and training of staff
• internal audits
• to provide advice regarding the data protection impact assessment and monitor its performance
• to cooperate and act as the contact point with the supervisory authority;
Perhaps more interesting however, and the reason for a close IT/DPO alliance going forward are the new obligations of a business regarding the role.
LAW FIRM OBLIGATIONS
All firms will have the following obligations to a DPO when in existence:
• ensure that the data protection officer is involved in all issues which relate to the protection of personal data (this will include IT solutions and services)
• provide resources necessary to carry out those tasks and access to personal data and processing operations,
• He or she shall not be dismissed or penalised by the firm for performing his tasks.
• report to the highest management level of the firm
The fact that a firm is obliged to ‘provide the resources necessary’ represents an excellent opportunity for IT to work with the DPO to achieve the appropriate budget and resources to deliver a robust Information Governance strategy – something that IT Directors have been struggling to justify on best practice principles as opposed to obligation.
So, with the DPO responsible for ensuring appropriate data protection measures are in place and with the new power to ensure resources are provided, a much closer alliance between IT and Risk will be the ideal way to provide the technical and legal expertise required to ensure compliance.
This is also borne out in the work needed to prepare the business for the May 29 2018 compliance deadline. To develop a GDPR Compliance Plan, it is first necessary to document current data practices and processes and understand any risk. This is achieved by first carrying out an Impact Assessment which can be broken down into three phases, Discovery, Risk Assessment and Mitigation Planning.
A Data Protection Impact Assessment is a tool designed to enable firms to work out the risks that are inherent in proposed data processing activities before either the legislation deadline in May or in future when planning a new system or process. This, in turn, enables firms to address and mitigate those risks before the processing begins.
It may also even be mandatory as where a new processing activity is proposed (especially where new technologies will be used) resulting in a high degree of risk for data subjects, the controller must first conduct an Impact Assessment. A single Impact Assessment can cover multiple processing operations that present similar risks.
Essentially the Impact Assessment has 3 key activities:
Data Mapping: A comprehensive and documented survey of all systems and processes where personal data is at play
Risk Assessment: An assessment of potential non-compliance based on the findings of the data and process mapping
Mitigation Plan: A documented approach to the risks discovered using a REMOVE, REMEDIATE or ACCEPT approach.
GDPRREADY COMPLIANCE FRAMEWORK
To assist firms with the initial preparation phase including the Impact Assessment we have developed a GDPRready Compliance framework that has 4 key phases
Step 1 – EDUCATE
GDPR Overview Workshop - an onsite workshop to build GDPR awareness and secure buy-in with your key internal stakeholders, custom-tailored to the needs of your firm.
GDPR Assessment workshop - A workshop for internal staff responsible for owning the assessment process.
Step 2 – DISCOVER
Impact Assessment – using our GDPRready Data Register and GDPRready Impact assessment templates you will document, data flows, gap analysis, risk assessment and remediation plans.
Step 3 – PLAN
GDPR Preparation Plan – document actions needed to prepare for and maintain GDPR compliance. Understand budget required and systems and processes that require modification.
Step 4 – MAINTAIN
Maintain compliance by aligning processes with our 12 best practice Information Security policies
GDPR is only 18 months away and any firm that has already started an Impact Assessment will know that they need all the time available to prepare. This a business project, owned at board room level but best managed and delivered by the IT/Risk team. This is an excellent opportunity for IT to provide leadership in a high-profile business project, get budget for Information Governance projects and now mandatory Security Awareness training and provide Impact Assessment advice to the firm’s clients. The Data Protection Officer will have a far reaching range of new responsibilities and powers – make them your best friend.
* Tim Hyman is also producing The Essential Guide to GDPR - email HERE for details.
This is Urban Fantasist
Barrister and Reuters correspondent turned writer, award-winning tech journalist, radio presenter, podcaster, blogger, storyteller, and sometime werewolf-hunter Charles Christian is here to inform and entertain you with tales of writing, radio, geek, tech, media, music, urban myths, folklore, the weird and anything else that intrigues him. The site also has links to all Charles Christian's books including fiction, nonfiction, and the latest reviews. Plus links to his weekly Weird Tales and Smart Radio shows.
The Latest Podcast
In Episode 48 of the Weird Tales Radio Show podcast we sing the sad song of the Mistletoe Bride trapped in her living tomb + take a quiz on some little known legendary facts: seriously King Arthur, your spear is called Ron? + discover a churchyard in Northern Ireland where the graveyard dirt really does deliver a miracle cure.
Follow this link to access episodes of the Weird Tales Radio Show podcast. The page contains links to all our other podcast platforms. Click the player button below to hear latest show.
Hear Charles Christian on Smart Radio
The Midweek Late Lunch
Wednesdays 2:00pm to 4:00pm (UK)
The UK Chart Toppers Show
Sundays 2:00pm to 5:00pm (UK)
and on mobile...
Apple iOS App: Smart Radio GY
Android App: Smart Radio GY
TuneIn Radio App: Smart Radio GY
Weird Tales Podcast Links
The Urban Fantasist website is now averaging over 5000 page views daily and 150,000 page views a month plus over 6000 unique visitors each week.
Tel: 44(0)1986 788666
"Listening to your wonderful show now. I love the stories! Wonderful concept. Great work."
"Charles Christian defiantly makes my world a brighter, funnier place."
"Wonderful show tonight full of all the usual delights we've come to expect."
"The legendary Charles Christian at his eclectic best... his insight and humour alone make this a must-read blog."
"Charles Christian is my inner spirit animal, thank you for making me laugh."
"You always make me laugh! Thank you for brightening my day with your dark humour."
"the funny, wonderful and slightly cantankerous Charles Christian"
"Carlsberg don't make clients, but if they did... they'd be Charles Christian"
"His tech journalism is always witty. He has a talent for pricking the overblown claims of suppliers."
"Charles Christian does awesome!"
Charles Christian's Books
Can I copy content from this site?
Yes... providing you properly credit it. Urban Fantasist content is licensed under a Creative Commons Attribution 3.0 Unported License which means it may be shared, copied, remixed or used commercially as long as Urban Fantasist or the Weird Tales Radio Show are cited as the source.
Copyright © Charles Christian
& WordsandVision Limited 2019
Tel: 44(0)1986 788666
Urban Fantasist - infotainment fuelled by green tea and dark chocolate
Contact Address: Oak Lodge, Darrow Green Road, Denton, Harleston, Norfolk IP20 0AY, United Kingdom