John Davison: With GDPR only four months away from implementation, we thought now was a really timely opportunity to give our views on five of the key areas that organisations should be following up on to make sure they are ready for ‘go live’.
Christian and I are here to talk about some of those key areas, so Christian, for me first of all, everybody seems to tell me this is technology, technology, technology and that is all that people have to worry about. Is that what you are hearing?
Christian Blackwell: It is true John that technology is absolutely fundamental in getting to grips with what you need to do as an organisation in terms of GDPR compliance, however it is not the only thing. Yes, you need to understand exactly what data you are holding where, what systems are holding that data and as well the non IT elements of holding data. It is also important to make sure that you link it to other change projects that you may have in your organisation, such as MiFID II personal data requirements, understanding the conflicts and tensions between the different requirements.
As well as technology it is really important to talk about the scope and the extended scope. We need to understand, although it is European legislation, it is not just about EU data flows, there is an extended reach which is about goods and services provided to people or companies within the EU, so that gives a much wider scope for a wider business. Also the way technology has moved on has other implications, during the last 10 years social media, what is personal data today and is captured in the different ways. How is it identifiable or not identifiable, such as IP addresses, pseudonyms, everything needs to be much more clearly understood and defined within the framework of the work you are doing to get to grips with the legislation.
John Davison: So not only have you got to make sure your systems and your infrastructures are robust for GDPR, but the whole scale of the types of personal data you can capture and how you can identify people is different, and it may well be you are saying here that organisations may not have thought through these broader ramifications so that their plans are fully scoped which I think is very sensitive place to go.
If we move away from the IT and international scope element of this, we are now in a regulatory world of senior management accountability and responsibility and kind of the onus on demonstration of system and control, so I wonder if there is any other areas in there that you are hearing noise about in relation to how organisations can make sure they have got the accountability and the controls element put together.
Christian Blackwell: It is very important that there is a defined or a responsible data controller appointed and that shouldn't just be a nominal OK, let's give someone the job title, it is a part time role for the, it is really OK making sure that the management, the governance, the resources and the processes are developed organisation to support that responsible person so that they can discharge those responsibilities appropriately.
The fourth key area which is around their data access requests, so once the data controller has got the right governance processes in place, there should be practising and trialling the responding to those data access requests in an efficient manner. We shouldn't wait around until the first one comes in after 25 May, it should be part of the testing and the preparation now.
John Davison: Now client and the public are aware of this, there is going to be an increase in the number of subject access requests which will be a very big step change for a number of financial institutions, who perhaps haven't had that many subject requests before which puts a lot of onus on the data controller to make sure those underlying processes you talked about are robust, are sustainable and are properly supported.
Moving on from that, and I guess a concluding area is the demonstration of compliance, people get to 25 May then actually they have got to make sure that what they have is sustainable, that they can demonstrate that they are sustainably meeting these terms and I wonder whether you had any thoughts on that?
Christian Blackwell: The demonstration of compliance is almost just as important as actually being compliant, it is not enough to just ensure the compliance within the organisation but actually we need as an organisations be able to demonstrate to all parties that, and have the evidence that we are being compliant. That is really about the whole programme of work, to be able to get to a point where we can do that, and building it into the compliance infrastructure of the firm in such a way that we can respond as we have been able to do for many other compliance topics over the years.
John Davison: What is particularly important here is to link that point back to something you said earlier, being prepared with the need to have specific contract terms for GDPR, there is an additional onus on firms to make sure they are monitoring their controls, and ensure that they comply with the new terms they have contracted with clients on, as opposed to purely today maybe having a more generic approach, so I think that ties it nicely together.
Christian that has been very helpful, thanks very much and I look forward to working with you to implement this across the industry.