500 days of GDPR

Featured Blog Image

by Bryan Beesley, Senior Manager and Head of Data Privacy, KPMG LLC

The 25th May 2018 saw the instruction of the revised General Data Privacy Regulation, more commonly known to us all as GDPR but, 500 days later, where are we now and how has it impacted the way we approach business here on the Isle of Man?

There was a huge surge of policy writing, training and changes the closer we got to the 25th May 2018. Some firms completely destroyed substantial contact databases which had been built up over many years, whilst other firms did the bare minimum to scrape through what they perceived to be the requirement of the new legislation.

It seems fair to say that the majority of firms now are continuing life as was, albeit having made some slight communication changes, and it is worrying that GDPR is seemingly viewed as a one-off event rather than an ongoing requirement. How confident would you feel if the Information Commissioner turned up at your door and asked to do a spot inspection (something that is starting to occur more frequently now)?

Over the past 500 days, our data privacy team have been working with a number of firms on their GDPR policies and therefore wanted to pick out some key situations we have seen that should be regularly considered to keep yourself compliant:

Segregation of work areas from client areas
When I visit clients it often amazes me, how much client data, or access to client data, is available with minimal effort. If somebody can gain access to a client area without any form of security then you could be in breach of GDPR. Having basic identity and access controls might not be enough. There are many firms who implement a proxy-pass system but then ignore that there is a lift or uncontrolled access straight into client areas, and more fundamentally the common activity of tailgating.

Update your data flow / data mapping to meet updated regulations
Have there been other applicable regulatory changes and amendments since GDPR came into effect? If so every firm should have amended data flows and data mapping as a minimum - this is in addition to the annual data policy reviews which everybody should undertake as part of its review.

Multi-jurisdictional policies
The island, by its very nature, has a plethora of firms who have offices in multiple jurisdictions. It is therefore imperative that firms have multi-jurisdictional policies in place rather than just set policies for each jurisdiction. For example, data records in the Isle of Man are legally required to be held for 7 years whereas in other jurisdictions outside of the EU, whilst still compliant with GDPR, may legally require documents to be held for 9 years resulting in additional wording in contracts and policies.

The boardroom
Is privacy (and cyber risk) a regular item on your board agenda? My experience is that it is an afterthought or only added when there has been a problem. It needs to be a regular item and discussed, documented and actioned monthly. The time you have to bring it onto the agenda, due to an issue, clearly shows that it is too late.

The above are just five key areas we see but there are many more, common themes such as the way technology is being used outside of the workplace (i.e. use of VPNs), external email checkers (so that there is a check in place before an email is sent externally), policies that must be in place if you have CCTV, Data Protection Officer requirements and how they interact with the Board and wider business, and so on.

GDPR isn’t going away and there has definitely been a “grace period” over these past 500 days. If there is one thing for certain it’s that there is no excuse for firms not to be compliant over the next 500 days.


  • Recent Posts