Data breaches and cyber-attacks are some of the painful side-effects caused by poorly managed processes and out-of-date systems. This is one of the reasons why data protection regulations are hugely important. In May 2018, Jersey introduced the Data Protection (Jersey) Law 2018 with equivalent principles to the European General Data Protection Regulations (GDPR), which came into force on the same day.
The GDPR and equivalent Jersey law mean that individuals’ privacy rights have been substantially strengthened and a level playing field exists for data protection across Europe and Jersey. But do companies have the best systems in place to comply with the regulation or are further risks being created? Mel Pardoe, Data Protection Officer at BDO Jersey, discusses these risks and the treatment to solve the problems.
Thanks to the introduction of the Data Protection (Jersey) Law 2018, the Jersey Office of the Information Commissioner (JOIC), Jersey’s data protection regulator, now has the power to issue significant fines and sanctions. This means that companies are all required to ensure best standards are met. JOIC issued its first enforcement notice in January, making it clear that GDPR is no millennium bug and is here to stay.
Protecting customers’ personal data is a human rights law and it is very important that companies make it an integral part of all processes. With cyber criminals holding the currency giant Travelex to ransom and the British Government accidently publishing addresses of more than 1,000 New Year Honours recipients online, privacy rights are at the forefront of public awareness and no company is immune. Yet the pragmatic implementation of data protection is something that many firms still grapple with.
Not only is it necessary to comply with data protection legislation but it is also essential to demonstrate compliance. It’s the latter which can be the more significant challenge for businesses. In order to try and comply, firms have been using a combination of written polices, spreadsheets and forms. This can sometimes create duplication, confusion, inefficiencies, low-quality data and fragmented systems with pockets of non-compliance where policies and protocols get missed. It then becomes difficult, if not impossible, for Boards to gain an accurate oversight as to what data they have, why they are processing it and what their compliance realistically looks like.
An ongoing process
Many organisations have struggled to move past the ‘project’ phase of GDPR implementation. Businesses are now waking up to the fact that a one-off project will not work, as the outputs from those (often rushed) projects fall out-of-date. Data processing is an ever-changing landscape and data protection needs to be a ‘business as usual’ function that is a living process embedded in all aspects of the company, if ‘privacy by design’ is truly to succeed.
An ongoing framework needs to be put in place in an efficient and uncomplicated way and in one central location. This will reduce the risk of human error and give the Board oversite so they, and the regulator, can easily see everything is in place.
There are various tools on the market that can deal with some of the issues. Our software ROBUS is an easy-to-use holistic solution which addresses them all.
ROBUS harnesses the power and stability of the latest technologies to enable businesses to document (and complete) their data protection activities in one place. The unique combination of technical skills from C5 Alliance and expert regulatory knowledge at BDO has made the ‘best of both worlds’ possible; you can ensure a consistent, reliable and, above all, continuous adherence to your legal requirements.
You can store your data on ROBUS, and data inventories and retention schedules can be efficiently and consistently populated online. Third parties and service providers can also be easily onboarded in a compliant manner. Having a central location creates easy access for the team, while a ‘permissions-based’ system means staff only access what they need to see.
Using ROBUS, you can assign actions and tasks arising from guided data protection impact assessments and then link the assessments to your data assets and clients. Access requests and data breaches can also be logged and managed.
With instant oversight for the Board and Data Protection Officer you can track reviews and approval of data processing activities in real time, so accountability and audit history are inbuilt. This provides reassurance to your Board, clients and the regulator that data privacy is being proactively managed.
All reporting and risk analysis can be created through ROBUS and the assignment of mitigation owners and timelines can be included. Marketing campaigns can be tracked and linked and registrations with the regulator can be viewed so it is clear when they are due to expire.
Without ROBUS a lot of these separate processes need to be undertaken by different individuals which makes it difficult for the team to work together creating room for error. ROBUS allows for effortless collaboration meaning it isn’t reliant on one person. ROBUS combines all the functions in a continuous process so you can instantly see the relationship between them. For example, if a service provider was hacked, you have immediate oversight of which clients and data assets are impacted so you can remediate quickly. You can easily see which data protection impact assessments have not been completed and which contracts could be compromised.
ROBUS can be customised to work for you. Useful hints and tips are built in to help you complete guided processes and minimise errors. The integration of the system can be implemented without any disruption and existing data can be quickly and easily imported.
Once installed, data privacy management will be more effective and efficient and data quality will be improved; meaning your clients’ data is more secure as risks have been minimised.