7 GDPR Traps for Groups and how to avoid them

GDPR can be tough enough, but there are 7 common traps when it comes to a group of companies, whether big or small. We’ll detail these 7 GDPR Traps for Groups and how they can be avoided, as well as going through some key benefits from having good Privacy.

With any group of companies – or any other group structure – there are 7 GDPR Traps we see in the market. The good news is, they’re all easily solvable.

 

1.No uniformity

Whether the group was formed organically or by acquisition, because GDPR is still relatively recent, there’s likely to be separate approaches to Privacy compliance across each group member.

There’s often no uniformity in four key aspects: 

Approach & Understanding

  • Who leads Privacy, who drives it in each entity and across the group?
  • Is everyone aware of this?
  • How embedded is Privacy in the culture and practice across the group?

Management & Reporting

  • What’s being looked at, and what questions are being asked – if any?
  • What’s being reported on a regular basis? 
  • What insights and transparency does each entity and the group have to support ongoing compliance and meeting accountability obligations?

Together this lack of uniformity hurts the company’s ongoing compliance. It’s hard to ensure – and prove – good operations, insights and culture when everyone’s going their own way…

 

2. Taking a purely Group view

Taking uniformity to the extreme

It’s wrong to only adopt a ‘group-wide view’ – for example with only:

  • one data inventory, 
  • one Article 30 Records, or 
  • one Breach record

for the whole group, as if it was one controller or one processor.

GDPR places express obligations on each and every controller and processor. Looking at Privacy just from the Group level is not compliant with GDPR.

Each group member needs its own Privacy Framework and records (which can be uniform across the group) but they must be particular to the entity.

A common example in a group is for one member to do all payroll for other group members. Each group member will be a controller of their own payroll – they can’t abdicate that responsibility – and that one member will also be a processor for the other group members.

 

 3. ‘That entity doesn’t process customer data’

A very common thing we hear is ‘that entity doesn’t process personal data’. 

This may be a special purpose vehicle (or SPV) set up for tax reasons, or simply a company that supports other group members in some way and isn’t seen as customer facing.

Unless a legal entity is dormant, it will have directors or partners who have meetings. It will process some sort of payroll or financial transactions, even if ‘just’ for the group. 

We’ve even seen members that take all promotion decisions across the group described as “not relevant for GDPR” – which is most likely incorrect. They may or may not need to register with the UK ICO, but if any personal data subject to GDPR is being processed, they’re subject to GDPR. 

One way to look at it is: could they suffer a breach? If someone hacked that entity, would anyone care?

Most probably…

 

4. Disparate IT

Right now, we see that most organisations are at the point where they’re looking to ditch the spreadsheet because it’s now clear it’s not the way to manage this complex and comprehensive compliance area.

Group members are typically at different stages of tech adoption, and indeed technology estates, with some experimenting with home-grown or adapted solutions. 

Differing technology, often siloed, makes it very difficult to manage and prove ongoing compliance. It makes collaboration tricky, reduces efficiency and can impact Security in the sense that it’s hard to ensure proper use of least privilege access; colleagues might have access to more than what they truly need for their role, increasing risk.

 

5. Membership changes

The above issues make it difficult to onboard a new group member or members and to help bring them up to speed on the group’s approach and compliance levels.

And it clearly raises issues when members leave the group. That might be through a sale, and you’ll want to support value creation with great GDPR answers for the relevant entities, with their own, understood framework and transparent records.

 

6. Security and Breach risk

An obvious result from lack of uniformity in approach to Privacy compliance, of which Security is a foundational part – from disparate IT systems, lack of transparency and insights, lack of collaboration, and ignoring certain entities in the group – is an increase in security and breach risk.

If there’s no planned approach that looks holistically at entities in a group, looks at where data goes and how it’s secured, who has access, and all the other GDPR requirements, that’s a clear and present danger to company data, reputation and profits.

 

7. Wasted resources, increased stress, lost opportunity

If the first 6 Traps that we’ve outlined are present in your group, there’s probably going to be a significant level of waste, both in terms of:

  • precious time that can be spent on more value-added activities, and 
  • equally precious cash that could be used to gain rewards elsewhere.

There’s also going to be increased stress both for those trying to manage Privacy in this environment, those reporting to the Board and those with buck-stops-here responsibility.

And there’s a huge opportunity cost in terms of speed to revenue and investment.

 

Solutions

Let’s take a look at the 3 Key Solutions to address these 7 GDPR Traps for Groups.

 

Solution 1: Uniform approach

Solution 1 is having a planned, uniform approach to Privacy across group members. It means those in charge can sleep easy knowing each group member is implementing the same measures to safeguard data and comply with GDPR. 

They may need to tailor certain aspects but they’re going to be able to look at reports and compare apples with apples, get ahead of problems and ensure transparent reporting across the group.

A Privacy culture, based on common language and themes, will then be implemented across the group, making it easier to talk about Privacy and Security with any colleague, and to let them know what’s expected of them in their role to support the success of their entity.  

 

Solution 2: Cover all entities

Solution 2 is treating each group member separately and as part of the group. In other words: leave no group member behind.

Do this and the risk of being sent into crisis mode is drastically reduced if due diligence requests are received or an incident happens at a smaller entity. 

It means each entity has a ready answer on GDPR and Privacy, there’s a sensible record of how all group members interact with each other and with the outside world, and their resulting responsibilities.

Have a group-view by all means, but each entity must be considered separately.

 

Solution 3: Automate with SaaS

The third solution is to automate and to do so with SaaS. Not only can SaaS automate the repetitive tasks, it allows for the delegation of the heavy lifting so those doing the day-to-day can focus on the more value-add aspects.

And SaaS is cloud-based, meaning everyone is on the same up to date system. SaaS solutions will let you have separate accounts for each entity, making onboarding and offboarding group members much easier. 

It will have least privilege access built in, so colleagues in each entity, in each team, and at each level, can see and edit only what they need to. 

All this means communication with external advisors is more efficient.

Instant insights mean confident reporting to the Exec team and Board, at your fingertips, whether that’s downloaded reports to be sent to them, or granting them online access. 

SaaS should also bring further Security benefits from having everything in one place with no legacy system out there, no version control issues, no lost expertise when employees depart. And of course Two Factor Authentication (or 2FA) is a must-have to reduce password-related breaches, while SSO helps you manage your SaaS estate and control access.

Enact these 3 Key Solution across your group and you’ll have significantly addressed all 7 GDPR Traps.

 

Share Privacy knowledge with your team

Companies are realising that Privacy is no longer only an issue specific to Privacy or Information Governance teams and are rolling out training to educate all departments on the area. We’ve compiled some useful information on the importance of Privacy in Groups, which you can share with your own colleagues.

Get the free “Privacy for Groups” info pack

 

Why not choose Keepabl to automate Privacy in your organisation?

If you’d like to streamline, automate and accelerate GDPR compliance for your business, then why not speak to our friendly team?

Why Keepabl is awesome for Groups!

See why Canaccord Genuity says Keepabl is ‘much simpler than our previous service yet better in dealing with multiple entities’.

We’re really passionate about Privacy, and we’d love to hear more about your own GDPR journey and chat about how we can help you get to where you want to be.

Request your Keepabl demo now

 

Links

 


Related Articles

Morgan Stanley SEC
Downloads
Morgan Stanley breach leads to $35 million lesson in IT asset management

By Robert Baugh, Keepabl First published 06 Oct 2022 on Thomson Reuters (PDF of Article, Subscriber login) The U.S. Securities and Exchange Commission (SEC) last month charged Morgan Stanley Smith…

Read More
EU US Flags
Blog
EU LIBE Committee's draft motion to reject the EU-US DPF Adequacy Decision

Well, with previous regulators and commentators coming down on either side, and on the fence, over the DPF, no-one said the passage of the EC’s draft adequacy decision would be…

Read More