Data protection update

Wednesday 06 December 2017

By Nikki Morrison, Group Data Protection Officer, Equiom Group

With the upcoming implementation of the EU’s data protection regulation, GDPR, Group Data Protection Officer Nikki Morrison gives us an overview of where we are and what’s left to do:

The European Union’s General Data Protection Regulation (GDPR) was published on 25 May 2016, and will become enforceable on 25 May 2018. It has been described by many as the biggest shake up in history concerning privacy regulation, particularly because its extra-territorial scope means that anyone offering goods and services to EU residents must be compliant with its 99 articles and 173 recitals. That is an onerous task for any business.

The GDPR, by nature, focuses on individuals and protecting their privacy rights, while also advocating a risk-based approach to privacy. The main principles of the regulation deal with reason, length of time, and the legal basis for using individual’s data. As a business, we are required to be transparent about:

  1. What data is being held and the legal basis for using it – it may be for fulfilling a contract or a legal requirement, it may be in our legitimate interest, and in some cases individuals may need to give their explicit consent
  2. How long the data is being held – in some limited circumstances individuals have the ‘right to be forgotten’, but in most cases there is a legal requirement to keep their data on file for a certain period
  3. What the data is being used for – are we using it for the reasons intended, or for other purposes that the individual may not reasonably expect it to be used for?
  4. Whether the data is being transferred between jurisdictions, and who we share it with – whether we are sharing information within the group or outsourcing certain functions, individuals have the right to know who has access to their data and why

There are a lot of myths surrounding GDPR, concerning the rules of consent, the right to be forgotten and the severity of the penalties for non-compliance. The truth is that many of the requirements of GDPR are nothing new for European businesses. Moreover, the GDPR does not supersede the laws around privacy set by individual jurisdictions, so as we are already compliant with the regulations in the jurisdictions where we operate, there is not always a need to amend our policies and procedures in that respect. The main difference is that organisations are required to provide documentary evidence of compliance with GDPR, which means that data protection can no longer be viewed as an IT function and is now firmly established as a business-wide issue.

Since October 2016, Equiom has been undergoing preparations for compliance with GDPR. We decided early on that in these preparations we would develop a privacy standard across the group. This means that offices in each of our jurisdictions will comply with the same standard, regardless of whether they are inside or outside of the EU, while also complying with local privacy legislation. In order to ensure compliance with GDPR ahead of the May deadline, we have been working on:

  1. Gathering information needed for the data inventories and registers that GDPR requires as evidence of compliance
  2. Reviewing our privacy policy in respect of our current procedures in dealing with data
  3. Reviewing the policies, procedures and security measures used by companies to whom we outsource some of our processing
  4. Updating internal policies and procedures to ensure compliance with GDPR and embed a culture of privacy by design, and by default into everything we do
  5. Communication to staff and carrying out training to ensure everyone in the business is aware of their responsibilities
  6. Assessing the risks to individuals involved in any changes to the business

Throughout the above assessments, our findings conclude that many of the policies and procedures we have in place are already compliant with GDPR. The ongoing challenge is to ensure that all of our jurisdictions and external processors are compliant, our staff are fully aware of what’s required and any changes to the business involve a data protection impact assessment, which focusses on the risks to individuals where their data is involved.

This ongoing requirement becomes more and more demanding as the business grows, given the sheer volume of the data and the varying rights of individuals across jurisdictions. With a dedicated team of data protection officers across the group, we are well placed to meet these demands. It is a project that is extremely important to us and supports our commitment to protecting the things you prize and, most of all protecting the privacy of our clients and our staff.


For more information about GDPR, please contact Nikki Morrison