With any group of companies – or any other group structure – there are 7 GDPR Traps we see in the market. The good news is, they’re all easily solvable.
Whether the group was formed organically or by acquisition, because GDPR is still relatively recent, there’s likely to be separate approaches to Privacy compliance across each group member.
There’s often no uniformity in four key aspects:
Together this lack of uniformity hurts the company’s ongoing compliance. It’s hard to ensure – and prove – good operations, insights and culture when everyone’s going their own way…
It’s wrong to only adopt a ‘group-wide view’ – for example with only:
for the whole group, as if it was one controller or one processor.
GDPR places express obligations on each and every controller and processor. Looking at Privacy just from the Group level is not compliant with GDPR.
Each group member needs its own Privacy Framework and records (which can be uniform across the group) but they must be particular to the entity.
A common example in a group is for one member to do all payroll for other group members. Each group member will be a controller of their own payroll – they can’t abdicate that responsibility – and that one member will also be a processor for the other group members.
A very common thing we hear is ‘that entity doesn’t process personal data’.
This may be a special purpose vehicle (or SPV) set up for tax reasons, or simply a company that supports other group members in some way and isn’t seen as customer facing.
Unless a legal entity is dormant, it will have directors or partners who have meetings. It will process some sort of payroll or financial transactions, even if ‘just’ for the group.
We’ve even seen members that take all promotion decisions across the group described as “not relevant for GDPR” – which is most likely incorrect. They may or may not need to register with the UK ICO, but if any personal data subject to GDPR is being processed, they’re subject to GDPR.
One way to look at it is: could they suffer a breach? If someone hacked that entity, would anyone care?
Right now, we see that most organisations are at the point where they’re looking to ditch the spreadsheet because it’s now clear it’s not the way to manage this complex and comprehensive compliance area.
Group members are typically at different stages of tech adoption, and indeed technology estates, with some experimenting with home-grown or adapted solutions.
Differing technology, often siloed, makes it very difficult to manage and prove ongoing compliance. It makes collaboration tricky, reduces efficiency and can impact Security in the sense that it’s hard to ensure proper use of least privilege access; colleagues might have access to more than what they truly need for their role, increasing risk.
The above issues make it difficult to onboard a new group member or members and to help bring them up to speed on the group’s approach and compliance levels.
And it clearly raises issues when members leave the group. That might be through a sale, and you’ll want to support value creation with great GDPR answers for the relevant entities, with their own, understood framework and transparent records.
An obvious result from lack of uniformity in approach to Privacy compliance, of which Security is a foundational part – from disparate IT systems, lack of transparency and insights, lack of collaboration, and ignoring certain entities in the group – is an increase in security and breach risk.
If there’s no planned approach that looks holistically at entities in a group, looks at where data goes and how it’s secured, who has access, and all the other GDPR requirements, that’s a clear and present danger to company data, reputation and profits.
If the first 6 Traps that we’ve outlined are present in your group, there’s probably going to be a significant level of waste, both in terms of:
There’s also going to be increased stress both for those trying to manage Privacy in this environment, those reporting to the Board and those with buck-stops-here responsibility.
And there’s a huge opportunity cost in terms of speed to revenue and investment.
Let’s take a look at the 3 Key Solutions to address these 7 GDPR Traps for Groups.
Solution 1 is having a planned, uniform approach to Privacy across group members. It means those in charge can sleep easy knowing each group member is implementing the same measures to safeguard data and comply with GDPR.
They may need to tailor certain aspects but they’re going to be able to look at reports and compare apples with apples, get ahead of problems and ensure transparent reporting across the group.
A Privacy culture, based on common language and themes, will then be implemented across the group, making it easier to talk about Privacy and Security with any colleague, and to let them know what’s expected of them in their role to support the success of their entity.
Solution 2 is treating each group member separately and as part of the group. In other words: leave no group member behind.
Do this and the risk of being sent into crisis mode is drastically reduced if due diligence requests are received or an incident happens at a smaller entity.
It means each entity has a ready answer on GDPR and Privacy, there’s a sensible record of how all group members interact with each other and with the outside world, and their resulting responsibilities.
Have a group-view by all means, but each entity must be considered separately.
The third solution is to automate and to do so with SaaS. Not only can SaaS automate the repetitive tasks, it allows for the delegation of the heavy lifting so those doing the day-to-day can focus on the more value-add aspects.
And SaaS is cloud-based, meaning everyone is on the same up to date system. SaaS solutions will let you have separate accounts for each entity, making onboarding and offboarding group members much easier.
It will have least privilege access built in, so colleagues in each entity, in each team, and at each level, can see and edit only what they need to.
All this means communication with external advisors is more efficient.
Instant insights mean confident reporting to the Exec team and Board, at your fingertips, whether that’s downloaded reports to be sent to them, or granting them online access.
SaaS should also bring further Security benefits from having everything in one place with no legacy system out there, no version control issues, no lost expertise when employees depart. And of course Two Factor Authentication (or 2FA) is a must-have to reduce password-related breaches, while SSO helps you manage your SaaS estate and control access.
Enact these 3 Key Solution across your group and you’ll have significantly addressed all 7 GDPR Traps.
Companies are realising that Privacy is no longer only an issue specific to Privacy or Information Governance teams and are rolling out training to educate all departments on the area. We’ve compiled some useful information on the importance of Privacy in Groups, which you can share with your own colleagues.
If you’d like to streamline, automate and accelerate GDPR compliance for your business, then why not speak to our friendly team?
See why Canaccord Genuity says Keepabl is ‘much simpler than our previous service yet better in dealing with multiple entities’.
We’re really passionate about Privacy, and we’d love to hear more about your own GDPR journey and chat about how we can help you get to where you want to be.
10 Steps to GDPR Compliance Whether you’re a beginner with GDPR or you’re quite advanced and just wanting a sanity check, we’re going to give you 10 Steps to GDPR…