Data Protection – Review and gap analysis

Changes in Data Protection regulation are imposing new obligations on organisations and exposing those that store personal data to additional risk.

We take the complexity out of these changes by providing a fixed price review of your business and identifying the actions that you need to take to stay compliant and to manage associated risks. With extensive business, regulatory and cybersecurity expertise, we include a risk based approach to identify the key areas that may expose you to harm.

We analyse organisations in the context of their scale and nature, and changes are often less cumbersome than our clients initially expect.

Reviews are carried out by an Institute of Banking Certified Data Protection Officer and include;

  • Site visit, regulation overview, data purpose categories, individual purpose analysis, general guidance.
  • Sybersecurity review
  • Identification of compliance and risk mitigation actions
  • Written report detailing recommendations

Contact us now and we will provide you with a cost effective* review package.

*Prices will vary subject to the nature, scale and location of your organisation

First Compliance can take you through a process to protect your business against unnecessary liability.  We also provide

  • Risk assessments,
  • Impact assessments,
  • Policy, contract and process review,
  • Critical event management
  • Outsourced Data Protection Officer services.

Access Requests & Breaches

Access Requests or Breaches are the most likely events to trigger a liability for a controller. There are two key things that a controller needs to be conscious of;

  • Timing – these events have strict timelines; missed timelines = a compliance breach
  • Structured process – there are a structured processes and established norms for these events, be prepared

Access request from a subject; this is typically the first touch point from staff /customers to a legal action. You have one month to respond and need to follow the process tightly to prevent the subjects legal advisors form using this against you. There is also much ‘over analysis’ of the data that needs to be provided. It is the personal data of the subject (not work data – this has been established in the courts) and there are other exemptions and restrictions to consider. If in doubt take advice early in the process,

Access Request form a state authority; this form of access is by its nature an investigation of an unlawful activity or a criminal offence. Ensure that the obtaining of personal data from you is lawful to avoid inadmissibility in court or liabilities on your behalf. Be conscious that the provider of this data may be required to attend court as a material witness. Be prepared.

Data Breach; the key to managing breaches is to get the timing right; you have 72 hours to report to the Data Protection Commissioner. A risk assessment will dictate whether a report is necessary, and whether the Subjects need to be informed and advised by you. Act quickly, waiting until the next the next day is losing valuable time

first is available to help you when you need expert support with Access Requests or Data Breaches.

GDPR Readiness Assessment & Delivering a Plan

We take you through a pragmatic process to identify areas that need attention. Our process will accelerate your pace of change, minimise risk to your organisation and enable you to demonstrate compliance. We assess;

  • Where are your exposures under GDPR and what are the likely consequenses
  • What actions need to be taken
  • What processes, policies and technology need to be updated to deliver an enduring process.

first will take you through a structure process to deliver;

  • A Readiness Summary with high level analysis
  • A roadmap for your organisation
  • Guidance on your requirement for an Impact Assessment
  • Key recommendations

This is an essential level of analysis for any organisation that processes personal data. You will find our consultation process informative and we will provide you with the support you need to manage your data protection obligations with confidence.

Principals of Data Protection

The current principals of data protection have been amended under GDPR to the following

1. Lawfulness, fairness and transparency – acquire and manage data fairly
2. Purpose limitation – use the data for specific purpose(s) only
3. Data minimisation – use only what is necessary
4. Accuracy – keep the data accurate complete and up to date
5. Storage limitation – a specified data deletion policy
6. Integrity and confidentiality – IT and physical security

If you hold Personal Data you are responsible for, and must be able to demonstrate compliance with, these principals

Each of these principals has extensive criterion to guide the data controller on how to manage personal data. Adherence to data protection principals is enforced with new legislation enabling fines that are ‘effective, proportionate and dissuasive’ and a breach of principal is subject to the higher level of administrative fines.

Adherence to these principals is at the core of good practice in data protection the essential basis of decisions that you make regarding the management of personal data.

Data Protection Impact Assessment DPIA

The completion of a DPIA is mandatory for businesses that manage certain forms of personal data. It is required where;

  • Considering the nature, scope and context of the purpose for processing personal data, it is likely to result in a high risk to the rights and freedoms of the subject
  • Systematic and extensive evaluating (profiling) of persons based on automated processing
  • Systematic monitoring of publicly accessible areas
  • Your kind of processing is on a list published by the DPC

A DPIA must be completed prior to processing of personal data

Not all organisations are the same, and where the requirement to perform a DPIA is not readily apparent, careful consideration needs to be taken on the correct course of action. Taking this route will provide the business with a roadmap for compliance, however may delay rollout of a process. Additionally, in the event of a requirement to go through a ‘prior consultation’ process with the DPC the timeline can get pushed out by many months.

The DPIA itself is a structured process where we engage with the parties involved and provide a description of the process, an analysis, a risk assessment and a recommended review process. This will provide a roadmap for compliance.

first can advise on your options and on how to minimise your exposure to risk, and provide you with a DPIA to comply with your obligations in this regard.

Data Protection Impact Assessment

Outsourced Data Protection Officer service

There are many approaches to the provision of Data Protection oversight in an organisation. Smaller organisation simply need a Data Protection representative, while others are mandated to have an Officer, and non-EEA businesses will require a representative. These positions may be outsourced.

Outsourcing avoids the challenge and cost of recruiting a full time Data Protection Officer or representative, and the associated risks due to the shortage of qualified and experienced skills in the market. It also brings a depth of expertise.

We provide the expertise required to fulfill this role and work closely with your management team to provide advice on GDPR and oversight of your compliance process. Your outsourced DPO or representative will get to know your business and answer data protection questions relating to day to day activities to protect your organisation from unnecessary harm.

Your outsourced DPO or representative will also operate as an interface with the office of the Data Protection Commissioner.

Public bodies and organisations whose core activities require regular and systematic monitoring on a large scale, or the processing of special data on a large scale are obliged to appoint a DPO. Others may wish appoint a DPO voluntarily, an EU representative or simply require expert support.  We will always discuss your requirement with you to understand how we can complement your current resource and provide a level of support that is right for your organisation.

Managing Access Requests

The obligations to provide data subjects with access to their personal data are tightening and more significant penalties for material and non-material errors are being enforced. What does this mean for you today?

There are two forms of requests

  • Information request – confirmation of existence of personal data, the categories and purpose; deliver in 21 days, no charge.
  • Information access request – the data, who has access, data sources, the logic behind processing, opinion and comment; delivery in 40 days, you may charge a fee.

Personal data includes paper, electronic and visual (including cctv) data

There are specific rules around how data is presented, what can be withheld, means of disclosure and what needs to be redacted. Additionally, the timelines, ability to charge and requirements to deliver electronically change under GDPR. All more onerous on the controller.

first can put a process in place for you to manage this process and advise on special (legal proceedings, whistleblower rules and etc) circumstances.

Data Protection - managing Access Requests

Risk Analysis

A core element of the good governance of any organisation is the evaluation of risk. Risk assessment is mandatory for all organisations that process personal data, and a more intensive process applies should they;

  • Systematically profile personal data on a large scale
  • Monitor publicly accessible areas
  • have processing activities that could pose a high risk to the rights and freedoms of persons
  • Are on proscribed lists published by the DPC

However the requirements set by GDPR are a minimum bar for the protection of persons and organisations often need to look more broadly to protect themselves. Adverse outcomes typically materialise in either financial and/or reputational damage.

A broader look at risk will help the board to understand, quantify and minimise exposure to damage and often more importantly, factor in reputational damage to a degree that is proportionate to it’s real effect.

first will be pleased to analyse your business more broadly and to work with you to deliver a risk model with appropriate and proportionate processes and controls. This will minimise both the probability of adverse events and their impact.

Managing Data Protection Breaches

Data Breaches typically pose a more common risk to the business than any other form of violation under data protection regulation.

Time is of the essence
How an organisation reacts in terms of risk mitigation actions, regulatory reporting and from a PR perspective is likely to define the impact of this event. Good planning for this form of event will serve the organisation well.

If an event gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data, the organisation needs to react. It needs to consider informing the subjects, the DPC and other relevant authorities to minimise the potential damage to the data subject.

The Data Controller is obliged to inform the DPC of a risk to personal data (with some exceptions) within 2 working days of becoming aware, however not necessarily the full detail. Data Subjects are to be informed subject to risk, or instruction from the DPC. This however is a minimum bar and each incident needs to be considered individually.

GDPR – Administrative fine matrix

Fine Level Infringement
Up to €10m, or up to 2% of total global annual turnover for the proceeding financial year Infringement of regulation by the controller or processor; record keeping, reporting, controller/processor rules and etc.
Up to €20m, up to 4% of total global annual turnover for the proceeding financial year Infringement of principals, data subjects rights, international transfer, state law, or an order by a the DPC

Important GDPR imposes mandatory and detailed reporting of breached in 72 hours. This is likely to result in the admission of liability before the full facts are uncovered.

first can implement a structured process to manage unauthorised activity relating to personal data, and provide you with advice and guidance to manage an event effectively.

Delivering a service to match your business’s requirements

We work with you to deliver practical compliance solutions that are proportionate to your organisation’s scale and activities. Our Data Protection engagements typically comprise of one or more of the following

  • High Level Review and Recommendations
  • In-depth Data Protection Readiness
  • Policy & Process Review
  • DP Impact Assessment
  • Training
  • Representing Clients with the Data Protection Commissioner
  • Critical Event Support; Access Requests, Litigation, Access Requests

first will be pleased assist you in the delivery of best practice, or to become more hands-on depending to suit your requirement.