GDP R
A New Era in Data Protection Leslie Langlois, data protection officer at Sure, looks at the practicalities of GDPR preparation using the communications company as a case study.
Sure has been very active in ensuring the firm complies with its data handling requirements. This exploration of the firm’s GDPRfriendly policies should highlight some lessons that other Channel Islands’ businesses can benefit from. Appointing a DPO – a proportional response One of GDPR’s key tenets is that it doesn’t prescribe how organisations reach the privacy and security standards that it lays out. This has been done to give companies the freedom to choose the best routes for them and recognises that small businesses won’t have the same level of resources as larger ones. In fact, many won’t have the same quantity of data or complexity of information systems as others. One of the first steps Sure took when addressing GDPR, was to undertake a range of Privacy Impact Assessments to fully understand the data we collect, how we collect it, why we collect it and the controls in place to protect it. As a result of these analyses, we concluded that the appointment of a data protection officer was an appropriate route for Sure, which is a large business by Channel Islands’ standards and one which holds personal data on thousands of islanders and whose cloud services clients also hold their clients’ personal data on our servers, a situation which makes us both a data controller and a data processor under the regulation.
Although there was no requirement for Sure to appoint a DPO under the regulation, we felt that having one person focused on data security and privacy was the right course of action because it not only shows our commitment to data security but it also gives our customers a single point of contact for their enquiries and creates a smoother process for regulators. Bringing GDPR to our colleagues Sure employs many people who don’t encounter personal data on a regular basis. However, our analysis showed that most people within Sure do have access to or modify personal data at some point in their work. As a result of this insight, we decided that the most efficient and effective way to ensure the right people have the right understanding of GDPR and its effects, was to roll-out company-wide data privacy and GDPR training. This complements the annual information security training that we’d already implemented. Regardless of the size of your organisation, providing training to all employees is something that you should consider very seriously and it can be achieved cost effectively with the use of external training organisations. Policy reviews We have also updated our privacy notice into two new notices: one for
customers, the other for job applicants and employees. These outline the information we must give to individuals whose data we process and includes what we collect, why we collect it, the legal basis for processing the data and details of their rights. Such a review is something that all organisations should consider and, like training, if the expertise doesn’t exist in-house, then it is worthwhile looking at the many third party options that exist in the islands. A new attitude to data collection As a result of our company-wide data reviews, we have resolved to move towards a culture of minimal data collection. This means that we want to get to a situation where only essential data is held. This will be an ongoing exercise and will aid data protection compliance long into the future. A similarly continuous work programme is the updating of our policies and procedures for the requirements of GDPR and its locally equivalent laws. The era of data collection is never going to end and by implementing an ongoing and iterative programme of review and analysis, which includes continuing to achieve and expand the scope of our ISO 27001 certification for information security, Sure aims to become and remain, a leading example of personal data handling. ■
63