We spoke with Pragasen Morgan from EY about GDPR.
Hi Pragasen, thank you very much for joining us. So, you’re here to talk to us about GDPR. What exactly is it?
So, GDPR stands for the ‘General Data Protection Regulation’, and it is a regulation that is European Union-wide. The main focus of the legislation is on you and me, actually, it’s about the individual, so protecting individual rights.
Most importantly, with the rise of the way in which data has been shared in organisations and the rise of multinationals being able to use those pieces of data in any way, shape or form, this legislation is here to protect the individual in such a way that you have to give consent for that information to be used, so to be collected, to be stored and then to be processed. So, fundamentally, this is the biggest shake-up in the marketplace on legislation over IT.
What exactly are the implications of for businesses here in the UK?
So, I think there’s a number of things businesses would need to consider. The first of that is that this is a shake-up of the market in relation to legislation. So, most importantly, the organisation needs to be really clear about the data that it collects about individuals and this legislation is focused around living individuals. It needs to make sure that there’s good corporate governance around that: the way they collect it, the way they process it, the way they store and then the way they transfer it to third parties. So, making sure that they have controls around that.
The second thing is they need to be very clear about risk and risk management around that data. So most importantly, is what are the risks when I collect the data? What are the risks when I process the data and what are the risks if I transfer the data outside of the European Union, for example?
So, whilst the legislation is focused around covering the European Union citizens, most importantly, organisation have to really take ownership over control of that information and the data that they collect and the burden is on them to protect that information.
In terms of all the prevalence of data that we have at the moment, how can businesses prepare in terms of recruiting the right people into their business?
Because legislation is focused around the controls that you’d have in place around personal sensitive data and the way it flows across the organisation, what we are seeing is an evolution of roles and skills that you have in the organisation.
So, whilst I might have had somebody that was focused around protection of information or information security, right now I’m looking at an individual that has to have oversight of the data, as we see flowing right across the organisation.
So, what we’ve seen is the emergence of the chief data marketing officer, for example. But we’re also seeing a strong demand in the market for a chief privacy officer or a data protection officer. At the moment, the market is short and our benchmarking tells us the market across Europe is short by 33,000 data protection officer jobs.
There’s this whole narrative around Brexit. Will UK businesses still have to comply following our departure from the European Union (EU)?
We had a number of these questions around Brexit previously and especially with the uncertainty as we go into Brexit, the question has always been asked: what happens to the UK? What happens to the data of a large multi-national that is flowing right across the European Union?
So, right now we know that the UK is going through a change in its data legislation. It’s currently making the assent through parliament. And that was announced a couple of months ago and Elizabeth Denham, who is the UK’s ICO, is quite vocal about that.
What we do know is that once the UK comes out of the European Union and once that date is set, there’s still be a transition period, actually that will go for probably for two years where we will still have to harmonise with European Union legislation. Once of those legislations will be GDPR. The current bill that’s making its assent through to parliament, GDPR is written into that. So, the UK will have to comply with GDPR. How the UK will work with the European Union beyond that time period, we’re unsure of just yet. What we are expecting is that the UK would become a white-listed country or a white-listed territory, in which case we can still share data across the European Union.
What advice would you give to people in terms of preparing their business for the upcoming regulation?
So, probably three key pieces of advice I would give an organisation. The first is: absolutely be certain about the types of data of that you are collecting in the organisation. If you are collecting personal and sensitive data, make sure that you understand the way it is collected, where it’s stored and where it’s processed. So, that’s the first one. Understanding the scope of the legislation, whether or not you apply to that.
The second is: if I do collect personal, sensitive data, what sort of risks does the organisation have as a result of the data that it collects, processes and stores and even transfers? Once I understand those risks, the next thing I need to do is to make sure that I have controls around that – either mitigating controls or direct controls in place that would stop that data being lost. Quite a bit of this is making sure that if I’m collecting things like personal, senstive data in the organisation that there is the legitimate grounds for processing of that information. So you need to have consent of the individual to collect it, to store, to process it.
Great, thank you so much for your time, Pragasen.