GDPR Implications – Part 1

GDPR and TrackBack

The General Data Protection Regulation (GDPR) has been adopted into UK Law and will become enforceable from May 25th 2018. The changing regulations will have a significant impact on the way that data is managed by everybody. As TrackBack is an integrated data partner for its clients, it must understand the implications of GDPR and ensure that all its services are compliant.

What is the General Data Protection Regulation?

GDPR aims to harmonise and toughen minimum standards for protecting personal information across the European Union and the countries with which Member States do business.  Brexit, whether hard, soft or any other variant, will not affect the introduction of these regulations as any state that wishes its businesses, public sector or third sector organisations to be able to share personal information with counterparts within the EU must have laws “at least as stringent” as the GDPR.

How does GDPR impact TrackBack?

GDPR identifies two discrete roles for organisations who process personal data:

  • Controller – “means the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
  • Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”

As a service provider to the automotive sector, TrackBack is, according to these definitions, a Data Processor.  This does not reduce the responsibilities TrackBack has to protect the personal data our clients share, but it does mean that certain obligations of the Data Controller, such as the requirement to obtain explicit and specific consent do not rest with TrackBack.

What are we doing to prepare?

TrackBack already has a mature Information Security Management System, which includes data protection and privacy controls, that has been audited as being compliant with ISO/IEC 27001:2013.  The policies and processes defined in the ISMS are reviewed annually by the Information Security Working Group, which is chaired by our Managing Director, Gareth Thomas.

In 2016, TrackBack took the decision to appoint Oscar O’Connor as Chief Information Security Officer and to assign to him the responsibilities of Data Protection Officer as defined in the regulations.

TrackBack is currently reviewing all of our business processes, information flows and existing information security and management controls against the requirements and obligations of the GDPR, asking these basic questions:

  • Is all personal data adequately protected against risks liable to result in an infringement?
  • If an infringement was to occur, could TrackBack identify that it had happened and identify affected data subjects in a timely manner?
  • Does TrackBack have a proven response capability to manage the impact of a breach of personal data security arising from an infringement, including notifying affected data subjects and the Supervisory Authority?
  • Does TrackBack have a proven capability to recover from a breach of personal data security such that the long-term viability of the organisation is not compromised?
  • If any of TrackBack’s customers asked to enforce any data subject rights, could it do so and provide evidence that the relevant task had been successfully completed?

According to Article 28 from the EU GDPR:

“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

In response to this obligation, TrackBack is currently reviewing the Data Processing Agreements it has with our clients to ensure that we are mutually satisfied that appropriate controls and management processes are in place on both sides of the Controller/Processor relationship.

Why does this matter?

TrackBack’s business is predicated on being trusted with information which is of value to the data subjects and to our customers.  It takes the obligations that come with that trust very seriously and would not wish to be the cause of harm to the people whose information TrackBack holds or to the reputation or businesses of our customers.  Given the potential for significant fines that could result from a privacy breach, and the right of all affected data subjects to be compensated, the measures taken now to be fully compliant with GDPR, in advance of the May 25th 2018 deadline, are important to the ongoing success and growth of our business.

TrackBack will be publishing a series of blogs on this topic, examining the GDPR Principles and Data Subject Rights in more detail.  TrackBack will also be updating clients on the progress of our annual review of policies, systems and processes against the specific requirements of GDPR in a timely and transparent manner.