Is there a guide for helping my business become GDPR compliant?
The General Data Protection Regulation (GDPR) legislation is a daunting regulatory framework which will cause organisations to reconsider the use of personal information for years to come.
As we have discussed during a series of our articles which ACCA has published this autumn, the regulation includes many components which should be considered within your organisation. While ACCA has made a number of resources available (see list at the bottom) you may also need to consult with external advisers.
Below is our quick reference guide to some aspects for you to consider and some useful external resources.
GDPR is a law which includes requirements for compliance and interaction with regulators following an event. We highly recommend your organisation considers the advice of legal counsel to help you to understand the regulations and its specific impact to your business. Legal counsel can help you with everything from contracts to employee awareness.
Legal counsel will also be important for you to have at the ready if a data breach occurs. Privacy counsel in particular will be helpful when you are required to communicate with affected people and regulators.
GDPR focuses on the processing of personal data (including its use and storage). It is important for your internal stakeholders to fully understand the impact of GDPR on the way in which you work with information. In many organisations this involves an information technology and/or security team. While the best internal resources can perform valuable research, the use of outside consultants can be extremely valuable with their view across industries. They can help you to understand best practices within your industry as well as lessons learnt.
When security incidents occur, external forensic computer consultants can be valuable for determining what happened and (sometimes more importantly) what did not happen. The report of their findings combined with the advice of legal counsel can be useful for providing effective communication to affected people and regulators.
GDPR comes with a natural view towards liability. Cyber insurance is now a key component to insurance portfolios. We recommend you speak with an experienced cyber insurance broker to better understand your risk to information and the potential impact of GDPR.
When a security incident occurs, cyber insurance is very useful. Cyber insurance pays for the costs associated with managing a security event/data breach. The insurance not only pays, but it helps you to connect with privacy counsel, forensic computer consultants and communications firms at short notice.
Suppliers and service providers
The GDPR imposes obligations in respect of personal data you process (including where you collect, store and use personal data). It is therefore important to understand which of your suppliers and service providers processes personal data on your behalf and how they are working to be compliant with GDPR.
When considering the security incident response as outlined above, think about your suppliers and service providers. If they have a data breach event, do they have a contractual duty to inform you? If not, they probably should.
Overall, there is not a perfect approach for your firm to take – however, the key is to involve primary stakeholders in the conversation, both internal and external, as early as possible.
Please note that the purpose of this article is to provide a summary of and our thoughts on the GDPR. It does not contain a full analysis of the law nor does it constitute a legal opinion or advice by Lockton Companies LLP on the law discussed. The contents of this article should not be relied upon and you must take specific legal advice on any matter that relates to this.
Lockton Companies LLP accepts no responsibility for loss occasioned to any person acting or refraining from acting as a result of the material contained in this article. No part of this article may be used, reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, reading or otherwise without the prior permission of Lockton Companies LLP.
ACCA and Haines Watts have produced a number of free webinars on GDPR. An overview webinar was held in October and now a series of eight short webinars looks at key elements from the Regulation and affected business functions. We recommend that you listen to the Key Elements webinars first – in particular, the Key Principles webinar.
The webinars are presented by Mike Hughes, Steve Connors and Vincent Mulligan. Mike and Steve are partners at Haines Watts, whilst Vincent is an ACCA member and IT Audit Consultant at Eisteoir Consulting Ltd.
You can pick and choose the topics of greatest relevance to you to watch ‘on demand’ – please register for any of these webinars including the overview webinar from October.
ACCA and Haines Watts will be developing some case studies in the new year to supplement these webinars.