GDPR and disaster recovery compliance – who does the buck stop with?

Most organisations will already be on track for some level of compliance with the new GDPR legislation that comes into effect on the 25 March 2018. However, as with any other type of legislation, when it gets down to the nitty gritty detail of the act, it can require considerable interpretation. Unless you have a legal team working with you to assess the meaning of each article, it can be laborious for companies to understand whether or not they are compliant in all areas.  Whilst most companies are busy thinking about their core processes, there are some key areas of compliance being overlooked. When it comes to external companies that are acting as ‘data controllers’ on your behalf, it is extremely important that you ensure that they are following the same level of compliance as you, otherwise you could end up falling foul of the regulations. The financial penalties for getting this wrong are not insignificant! At 4 per cent of turnover or €20million (whichever is the greater), there is a real incentive to get it right, notwithstanding any damage to brand or reputation which can happen in tandem.

Disaster Recovery is a prime function that needs to be carefully addressed with regards to GDPR compliance. If you outsource any function of your DR then your DR provider becomes a data processor. They are handling personal data on your behalf and therefore need to be able to demonstrate compliance with the GDPR. Assessing your compliance suddenly becomes a much bigger task as you start to take into account all third-party data processors and their GDPR compliance processes. DR is a particularly important area to consider as it is both part of the GDPR solution and also an area for potential risk. Article 32 (1) of the GDPR states:

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

 (a) the pseudonymisation and encryption of personal data;

=> Article: 4

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

This highlights the importance of an adequate DR solution, but within the realms of compliance, as just having a solution is not enough on its own. Decision makers need to ensure that their DR solution, or provider, is also fully compliant.

Who is accountable?

Encouragement of whistleblowing with the GDPR leaves organisations more vulnerable to exposure; yet another risk to consider when it comes to GDPR preparation.

Article 32 of the GDPR states some clear guidelines for both controllers and processors of data, but who is this relevant to, who is accountable and what measures should these stakeholders/individuals be taking to ensure compliance?

CIO/CTO:

Article 32 of the GDPR is highly relevant to any CIO or CTO or even IT manager.  It’s crucial for any CIO/CTO to review the processes pertaining to data security, availability and confidentiality and ensure that they are well documented, not only for their production system but also their DR systems. If there is a breach of data security, then it is these well-documented processes that will help protect against any penalties. Undergoing ISO27001 via an independent auditor, such as the BSI, is the best way to go about challenging your IT processes in order to comply with the GDPR. This can often highlight areas that you could improve upon that you may not have thought about previously. Choosing a DR supplier with the same certification as yours will help to allay any concerns with respect to compliance. Either way, DR suppliers will need assessing in terms of their processes around data security, availability and confidentiality, which should be actioned now, in case it sets off a new procurement process.

Finance:

For the finance department, there are both budgetary considerations but also reputational considerations. Larger companies will need to appoint a data protection officer (DPO).  That is to say, companies with over 250 people require a DPO, but smaller companies may also want to consider this. Hundreds of GDPR vacancies are currently being advertised across the main job boards and competition may be rife. Do your people have the necessary expertise required or should this be outsourced? Either way it needs budgeting for. Finance will generally have overall accountability for any penalties applied with regards to business risk. The board won’t look favourably upon a FD who must report a penalty for non-compliance with GDPR. Data processors will now have new statutory obligations and contract changes which will be required to reflect this. Together with increased compliance, processes and controls this will not come free, involving considerable overhead for the DR supplier. Expect these additional responsibilities to add to any cost pressures whilst renegotiating new contracts and budgets accordingly.  Finance should get involved in reviewing DR suppliers and assessing their risk and compliance levels, which is ultimately going to eat into their busy schedules. Data breaches can no longer be kept under wraps and the reputation of the business could be at stake if there are data mismanagement issues, which ultimately fall on the shoulders of the FD. Forward planning with regards to how potential breaches are managed should also be carried out. A process that is already in place will save time and potential penalties further down the road. All of this is likely to be within the realms of a FDs accountability.

Risk/CRO:

The head of risk is perhaps the most important person within an organisation in ensuring that GDPR compliance is maintained. CROs will be responsible for setting compliance frameworks and audits, interpreting the GDPR and assessing risk, and should be involved with all supplier contracts, including DR. They should negotiate SLAs for recoverability and insist on testing to ensure that the DR solution is working in line with the GDPR. It is the risk department that should ensure ongoing compliance with the GDPR to prevent companies from losing focus and failing to maintain well-documented processes. Ultimately the longevity of compliance will rest on the CROs shoulders.

Between these three departments, each will bear some accountability for GDPR and, more importantly, if there is a breach, they will need to come together to confidently secure the extent of the breach and avoid any further damages. Ultimately, it’s the senior executive team’s responsibility to ensure compliance is achieved which includes demonstrating that a culture of ensuring data privacy is taken seriously. This means effective leadership in addition to adequate resources being made available to achieve that goal. It may not be the data breach which is the costliest in financial terms. Often investigation of a small breach of compliance can lead to a larger breach being uncovered which may carry far higher penalties, especially with the encouragement of whistleblowing.

Whistleblowing:

Whistleblowing systems within organisations will carry new requirements regarding communication to employees:

·         The whistleblowing privacy notice/policy and other information should be more easily available to all parties invited to report.

·         Contact details of the data controller responsible for the whistleblowing system, and if applicable, the DPO, should be made available to employees

·         Employees should be informed that they have a right to file complaints with the data protection agency.

Ian Daly, director, Plan B Disaster Recovery
Image Credit: Dotshock / Shutterstock