In a recent UKFast webinar, we posed your questions about the General Data Protection Regulation to a panel of legal and data security experts.
In the second of our webinar write-ups, we’re exploring why people must be thinking about the GDPR sooner rather than later and what the regulation means for UKFast customers.
Data security specialist Matt Bruce, Director at Bruce & Butler said;
“You’ve got to demonstrate that you’re accountable to it. Having privacy impact assessment reports saying you’ve understood the risk and made the approporiate decision is key.
The challenge [for businesses] is to understand how they sit now. What processes are being carried out? Have they got them written down anywhere? Administrative processes need to catch up first, then you can look at how you build compliance on top of that.”
Senior Associate at Squire Patton Boggs Emma Ball, responds:
“It could be internal or an external resource but they must have the requisite knowledge of data protection. So you can’t just appoint your FD.”
Emma suggests that the role of a DPO requires more than specialist knowledge of IT, stating:
“The ideal role for a DPO would be someone who’s willing to get to grips with the paperwork and has some background in privacy and data protection, with the support of key stakeholders in the business. That would probably be compliance, security and IT. The role can, therefore, be positioned within the legal and compliance departments.
“It’s important to remember that not every business has a mandatory obligation to appoint a DPO. Public authorities do, and if you’re processing high-risk data or systematic processing; we’re expecting more guidance on what is meant by that.
“I’ve noticed a trend for a lot of clients, despite not needing a DPO, to appoint a DPO and call them a data protection officer. Our advice would be: if you don’t technically need to appoint one, don’t call them a data protection officer, call them a data protection coordinator.”
“You need to be up to speed in terms of the general understanding. IIf you’re not very comfortable with it, you need to seek advice from somebody who is qualified to give you assurance that your compliance boxes are ticked, and support you if something goes wrong. The GDPR focuses on dealing with issues proactively, but when something goes wrong we also have to deal with it by avoiding panic and delayed actions.”
Nicola Frost, Head of Legal at UKFast adds:
“Your response plan should also deal with your reporting obligations to the ICO also. What people used to report was a drop in the ocean, now you’ve got to report a breach within 72 hours of becoming aware of it.”
“Yes. As the processor you have to report it to your customer – the data controller – without undue delay.”
The GDPR has been a massive undertaking for UKFast over the last 15 months, explains Nicola:
“We’re in the process of updating all our contracts so that we can give a compliant data processing agreement to customers when the GDPR comes in.
“We’re looking at all our products, we’re documenting privacy impact assessments on all of them, we’re speaking to customers about upgrading, pentesting, WAFs and anything else they can do to further secure their solutions.
“We’re also working towards ISO 27018 which we’re hoping to be compliant with in a few months’ time, giving us a good months lead in before the GDPR deadline. That ticks a lot of boxes for customers in terms of the due-diligence they might have to carry out on suppliers. There are various other accreditations that we’re also looking at.
“It’s vital to consider what happens in light of Brexit. UKFast is working on the basis that we must still be compliant if we’re going to trade in Europe and if we’re going to remain competitive we need to give people those assurances. Even in light of Brexit, we’re going to have some sort of equivalent standard regardless.”
For more advice and guidance from our dream team of experts, download the GDPR toolkit for instant access to the webinar in full, on demand as well as two myth-busting and insightful GDPR whitepapers.
Disclaimer: The information in this blog is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an advisor or solicitor.