Business First September 2017 Business First September 2017 - Page 18

GDPR GDPR: Completing a Data Audit Rory Campbell has written a series of articles in the past months on the arrival in May 2018 of the General Data Protection Regulation, and its impact on the business world. In this issue Katey Dixon, Associate Director, Forde Campbell LLC explains how to carry out a data audit as one of the practical steps you will need to take to prepare for next May’s law change. And also suggests that if your business engages in the process, it may have unexpected benefits beyond the fact that you’re complying with strenuous new law. DATA AUDIT There’s no escaping the increased risks posed by the GDPR to business. The fact that penalties which can be imposed for breaches of the legislation have jumped from a maximum of £500,000 to the greater of €20,000,000 or four per cent of a business’s annual global turnover for certain breaches has certainly been catching headlines and turning the heads of the business community. But this is not why you should bother with the GDPR: this is why you should check your insurance policies. The reason you should bother with the GDPR is because it just might work ­ and that just might help your business, as much as it helps data subjects prevent damage caused by a data protection breach before it occurs. The GDPR is a radical rethinking of how personal data ought to be treated. Gone is the obligation to register with the Information Commissioner’s Office (in fact, potentially, gone is the ICO); no longer can a box be pre­ticked to show consent to use a person’s data; even consent has become worthless unless it can be shown to be an unambiguous, informed, specific and freely given signal of agreement by an individual (over the age of 16). The effect of this is that businesses need to work out how to incorporate data protection at the heart of their product or services strategy. In other words, at a much earlier stage than under the current data protection regime. The aim of GDPR is to shift data protection from being a one­off issue you check off with lawyers as part of risk management, to become a central business ethic which encourages ‘privacy by design’. Privacy by Design requires you to take data protection into account throughout the whole product or services engineering process. Before you can incorporate data protection in your business, you need to understand where personal data is used in your business. This means that you must carry out a data audit. You need to know: • What personal data your business holds? • Where does your business hold the personal data? On one central server owned and hosted by you, or on a litany of servers and arcane legacy systems? • How was the data collected? Direct from the data subject, with their express and informed consent? Or a bought­in list of marketing leads? • Why are you holding the data? The GDPR wants you to be demonstrably clear about the legal purposes for which you collect, hold and process data. Understanding the reasons can help you if you don’t have the necessary consent from data subjects – the GDPR identifies permitted (but limited) situations in which you can process data without having consent. • How long are you holding onto data for? Is it still accurate? What processes do you have in place for updating data, and removing it when you don’t need it anymore? • How will you pass data to third parties? • What processes do you have in place for dealing with requests from data subjects to tell them about the data you hold on them? The idea of a data audit isn’t immediately appealing. But, as with coming clean about most things, the benefit of complying with the new law brings you separate advantages: while there may be upfront costs involved and time required, you’ll be able to consider more efficient ways of collecting and centralising data, at a time when the market is offering more efficient and competitive data storage systems. And, crucially, you will be able to demonstrate compliance by the steps that you have taken: GDPR compliance is all about compliance but also being seen to comply. Being able to produce a data audit will mean that you can show you’re taking the new law seriously. SAVE MONEY AND STREAMLINE PROCESSES In a lot of businesses outdated IT systems and outsourcing different infrastructure platforms can lead to processes inadvertently overlapping and incidental copies of data proliferating at an unmanageable rate. Carrying out an audit should help you to identify and eliminate the collection of any data which you don’t need (or which you have no legal basis to process) as well as recognising where processes overlap. Taking steps to eradicate unnecessary data is referenced in the GDPR as ‘Data Minimisation’ – and is included as one of the seven principles of processing to which a controller must adhere. As well as minimising data held, the audit also should look at how long you hold data for and whether you have any processes in place to destroy the data when it becomes obsolete. This will help compliance with the principle of ‘Storage Limitation’. A review of the structure and adherence to these principles should help a business with data storage costs on an ongoing basis as expiry dates are automatically attached to data collected. 16 www.businessfirstonline.co.uk