It’s almost upon us. In May, the General Data Protection Regulation will finally come into force. These new rules will aim to harmonise data privacy laws across the EU, boost individual rights and introduce eye-watering fines for failures (up to £17m or 4 per cent of a company’s global annual turnover). As a result, it will be the biggest change in data protection rules since the Data Protection Act 20 years ago and it will create a lot of work for financial services firms.
At e.surv Chartered Surveyors, our preparation for the GDPR started two years ago, when we began to move towards certification against the ISO 27001 standard for Information Security Management Systems. We successfully achieved that in February last year, and it was a major step towards compliance with the new rules. We now have procedures in place to identify, pre-empt and protect against data privacy impacts, to ensure the timely notification of breaches, and to comply with increased individual rights, such as the right to be forgotten.
Part of the challenge of the GDPR is proliferation of data. Compliance has to start with a comprehensive data audit. About 90 per cent of the information we process is managed at our Kettering office, but with 400 surveyors out in the field, we can’t ignore the data that is processed locally. And it’s not just inside the business that we need to think about either; we must consider the data that we share with external suppliers too.
Over a period of four months, we conducted an audit, site-by-site and department-by-department, that included interviews with every team leader, head of function and manager in the business. We continued until we knew where all our data was, what it was used for, and how it was processed and protected.
Adding to the challenge, the GDPR has expanded not just individuals’ rights over data, but also the range of data covered. Previous regulations were ambiguous about whether certain types of data were in scope: for example GPS tracking data or property photos. The GDPR is unequivocal, however: all of this data is now covered if it recognises individuals. As a result, we’ve revised guidance for surveyors, which includes reminders to avoid capturing the number plates of any cars in the drive when photographing the front elevation, and any family photos on the fireplace mantelpiece.
Our lender clients also have a valid interest in us being compliant, because they are the data controllers. For us, the challenge has been managing the third-party supply chain in relation to the GDPR. We asked some of our lender clients about their own compliance initiatives and how they were getting ready for the GDPR, and we found that some were more prepared than others. As a result, many of our lender clients have come to us for advice and support on their journey towards becoming GDPR compliant.
The truth is that compliance is as much about people as it is about data, and this is one of the key challenges: getting staff engaged. In our presentations on information security, we didn’t just give our employees a list of requirements and good practice, but instead tried to relate data security and privacy to everyday life – what it means for parents when safeguarding children, for example, or online safety. Establishing a culture of respect for protection and privacy is essential to ensuring that data policies are understood and acted upon.
Even so, the massive amounts of data being processed by modern organisations means that questions about the GDPR can sometimes seem unending. Perhaps that is what the GDPR is trying to encourage: to ensure that privacy and protection stay front-of-mind, and that we remain alert to emerging issues concerning use of data.
Shane Ross is head of risk & audit, surveying at e.surv