OK, so it’s in now. Can we all relax?
The Data Protection Act 1998 morphed into the GDPR and subsequently the Data Protection Act 2018.
Many organisations we have come across have taken appropriate and proportionate measures to comply with the new regulations. Those that have not cannot say that they were not warned!
So, what is the biggest risk that data holders face now?
This is quite probably one of complacency. There has been a heavy focus on GDPR up to the 25 May 2018 deadline and now people are moving on to other projects around the pension scheme that have been put off but are now becoming more pressing – it might be valuation season, time for investment review or a tendering exercise.
Despite this, you still need to keep on top of:
• What information you retain
• How you retain it
• Who you distribute it to
Trustees should consider having a structured method of review, perhaps a standing annual agenda item that covers these points, or more frequently if appropriate.
The minutes from these meetings should reflect the discussions and actions taken to demonstrate engagement with the process – the quality of this engagement will likely reflect in the action taken by the Information Commissioner’s Office (ICO) in respect of the future breach.
I say, “the future breach”, because it is only when it is recognised that this will happen that the mind is truly focussed on how and what you will be reporting to stakeholders and the ICO in respect of a breach.
Hopefully it will never happen, but hope is a strategy with some flaws.
An honest and reasonable mistake against a backdrop of sensible attempts to comply will probably save a significant amount of money and reputational damage compared to the same breach seen against a backdrop of non-compliance and low levels of engagement.
Elizabeth Denham, the ICO Commissioner, has said that “…effective Data Protection requires clear evidence of commitment and ongoing effort” which, hopefully, we all know by now. She continues, “…organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018”.
It is for you to decide how you will demonstrate this, but we should all be aware of the risks of not doing so.
Samantha Willoughby, Compliance Manager at Quantum
samantha.willoughby@quantumadvisory.co.uk