Joining the dots to manage data risk

The In-House Lawyer’s earlier survey with DAC Beachcroft in the Spring 2017 issue, ‘Managing Risk: The In-House View’ identified these key points:

  • Those organisations with strong cross-departmental relationships are those likely to be the most effective managers of risk.
  • The valuable role that in-house lawyers could play in
    strengthening connections and joining the dots of
    communication across an organisation.
  • Data was highlighted as a priority risk, but legal’s relationship
    with the IT department was recognised as one of those that needed work.

The General Data Protection Regulation (GDPR) will introduce new risks for any organisation coming into contact with personal data. Compliance will involve collaboration and co-operation across a number of organisational functions and GDPR has the potential to expose fault lines. With enhanced sanctions and fines for non-compliance, the impact of a breach of the GDPR will likely come to rest with the head of legal.

Accountability

From an organisational risk perspective, perhaps the most fundamental change under the GDPR is the introduction of a principle of accountability. This means that organisations will have a responsibility to demonstrate compliance with the GDPR. Its accountability requirements might be compared to the era of ‘health and safety’ in that it is simply not enough for organisations to prevent legal breaches and incidents occurring; there must be proof of the measures that the organisation took in the form of policies, training and assessments.

"Ensure there is  clarity about  who is doing  what. Ambiguity  is the common  enemy." Hans Allnutt, DAC Beachcroft
“Ensure there is clarity about who is doing what. Ambiguity is the common enemy.”
Hans Allnutt, DAC Beachcroft

GDPR is also a corporate governance issue. The requirement for accountability necessarily implies that organisations ensure that effective governance is in place and responsibilities are clearly understood. Whoever is charged with the responsibility ought to have direct access to, and oversight, by the board. It is estimated that 18,000 data protection officers (DPOs) are needed for organisations required to have one in place by May, although the GDPR does allow the role to be contracted out. Organisations not requiring a DPO should still be sure to identify a data protection lead to ensure data protection accountability and governance.

There is no consensus about the department or function that the DPO should sit in. Some sectors, such as financial services and healthcare, may find it easier than others to place the DPO within their existing governance frameworks. There are instances of some organisations with a head of IT law – a potential home for data protection. Others are seeing this as the finance or the risk department. Whatever decision is made, it is vital that the DPO is able to maintain independence.

Speed of response

The demands for swift reporting underlines the importance of clearly identifying data responsibilities throughout the organisation. This concerns not just the leadership of the breach response process, but also how quickly and easily the organisation can account for the relevant data processing activity at short notice. It will be necessary to disclose the incident to data regulators and also to data subjects who will demand answers.

This need for rapid response also highlights the importance of establishing good relationships across the different business functions involved in GDPR compliance. GDPR will not be addressed by retreating into departmental silos.

Building bridges

With effective communication critical for compliance there is likely to be a need for some bridge building. What might help?

  • Develop a shared vision of what good looks like across the departments involved.
  • Bond through adversity; share stories about previous recovery exercises in other instances and share the learning.
  • Understand the difficulties each department faces in executing its role.
  • Ask if you are a good friend or a difficult partner. How can you help each other?
  • Have a jargon ‘amnesty’. Give up the words that impede communication.
  • Ensure there is clarity about who is doing what. Ambiguity is the common enemy.

While the responsibility for data protection may vary, any significant breach of the GDPR is likely to come to rest with the legal department. The head of legal needs to be satisfied that their organisation is taking the necessary measures to ensure GDPR accountability and governance are in place.

Hans Allnutt is a partner and leads DAC Beachcroft’s cyber and data risk team.

Key points of the GDPR
  • The GDPR represents a wholesale replacement of data protection law throughout Europe.
  • The regulation aims to harmonise data protection across Europe.
  • It will come into effect on 25 May 2018, marking a watershed moment for the risk profile of data protection within most organisations. Brexit will not lessen its impact – it will continue to affect the UK post Brexit.
  • Under the GDPR personal data breaches will need to be notified to the Information Commissioner’s Office within 72 hours, and affected data subjects without undue delay, in certain circumstances.
  • Fines of up to 4% of turnover, or £20m, as a result of non-compliance.
  • Data protection officers required for some organisations which undertake certain large-scale data processing activities.
  • Stricter conditions for obtaining consent.