What GDPR Means in Practice for Irish Business

The General Data Protection Regulation (GDPR) is a European directive aimed at ring-fencing consumer data against illegal or unnecessary access. There is nothing to discuss or debate with local politicians, or the Irish Data Protection Commissioner for that matter. As a European directive, it has over-riding power. To obtain an English version, please visit this link, and select ?EN? from the table of languages.

As you reach for your tea, coffee or Guinness after sighting it, you will be glad to know the Irish Data Protection Commissioner has the lead in turning this into business English we understand. The following diagram should assist you to obtain a quick overview of the process we all have to go through. In this article, we briefly describe what is inside Boxes 1 to 12. The regulation comes into force on 25 May 2018 so we have less than a year to get ready.

The 12 Essential Steps to Implementing the General Data Protection Act

1. Create awareness among your people of what is coming their way. The GDPR has given our regulator discretion to dish out fines up to ?20,000,000 (or 4% of total annual global turnover, whichever is greater) so there is determination to make this happen.

2. Become accountable by understanding the consumer data you hold. Why are you retaining it, how did you obtain it, and why did you originally collect it. Now you know it is there, how much longer will you still need it? How secure is it in your hands, have you ever shared it?

3. Open a communication channel with your staff, your customers, and anyone else using the data. Share how you feel about how accountable you have been with the information in the past. Explain how you plan to comply with the GDPR in future, and what needs to change.

4. Understand the personal privacy entitlement of the subjects of the information. They have rights to access it, correct mistakes, remove information, restrict its use, decline direct marketing, and copy it to their own files. What needs to change in your systems to assure these rights?

5. Issue a policy for allowing consumers access to their information you hold. You must process requests within a month, and you may not charge for the service unless your cost is excessive. You may decline unfounded or excessive demands within your policy guidelines.

6. Adapt to the requirement that you must have a legal basis for everything you do with, and to consumer data. You need to be in a position to justify your actions to the Irish Data Protection Commissioner in the event of a complaint. Having a legitimate interest is no longer sufficient.

7. Ensure that consumer consent to collect, use, and distribute their data is ?freely given, specific, informed, and unambiguous.? From 25 May 2018 onward, this consent will be your only ground to do so. You cannot force consent. Your benchmark becomes what the GDPR says.

8. Issue rules for managing data of underage subjects. This is currently under review and we are awaiting results. Put systems in place to verify age. Set triggers for where guardians must give consent. Make sure age is verifiable. Use language young people understand.

9. Introduce a culture of openness and honesty, whereby breaches of the GDPR are detected, reported, investigated, and resolved. You will have a duty to file a GDPR report with the Data Protection Commissioner within 72 hours, thus it is important to fast track the process.

10. Introduce a policy of conducting a privacy assessment before taking new initiatives. The GDPR calls for ?privacy by deign?, and we need to engineer it in. This may be the right time to appoint a data controller in your company, and start implementing the GDPR while you have time.

11. You may also need to appoint a data protection officer depending on the size of your business. Alternatively, you need to add managing data protection compliance to an employee?s duties, or appoint an external data-protection compliance consultant.

12. Finally, and you will be glad to know this is the end of the list, the GDPR has an international flavour in that multinational organisations will report into the EU Lead Supervisory Authority. This will manage the process centrally while consulting national data authorities.

The GDPR is a project we all need to complete. If we are out of line, it is in our interests to get things straightened out. Once everything is in place, the task should not be too onerous. Getting there could be the pain.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Check our similar posts

How Energy Conservation saved Fambeau River Paper

Rising energy costs caught this Wisconsin paper mill napping, and it soon shut down because it was unable to innovate. Someone else bought it and turned it around by measuring, modifying, monitoring and listening to people.

The Fambeau River Paper Mill in Prince County, Wisconsin USA employed 13% of the city?s residents until rising energy costs shut it down in 2006. Critics wrote it off as an energy dinosaur unable to adapt. But that was before another company bought it out and resuscitated it as a fleet-footed winner.

Its collapse was a long time coming and almost inevitable. Wisconsin electricity prices had grown a third since 1997, the machinery was antiquated and the dependence on fossil power absolute. So what did the new owners change, and is there anything we can learn from this?

The key to understanding what suddenly went right was the new owners? ability to listen. They requested a government Energy Assessment that suggested a number of small step changes that took them where they needed to go in terms of energy saving. These included enhancements in steam systems and fuel switch modifications. However they needed more than that.

The second game changer was tracking down key members of the old workforce and listening to them too. This combination enabled them to finally hire back 92% of the original labour force under the same terms and conditions – and still make a profit (the other 8% had moved on elsewhere or retired). The combined energy savings produced a payback plan of 5.25 years. Three years into the project their capital investment of $15 million had already clawed back the following electricity savings.

  • Evaporator Temperature Control $2,245,000
  • Hot Water Heat Recovery $2,105,000
  • Paper Machine Devronisers $1,400,000
  • Increased Boiler Output $1,134,000
  • Paper Machine Modifications; $761,000
  • Motive Air Dryer $610,000
  • Accumulator Savings $448,000
  • Densified Fuels Plant $356,000

In terms of carbon dioxide produced, the Fambeau River Paper Mill?s contribution dropped from 1 ton to 600 pounds.

How well do you know where your company?s energy spend is concentrated, and how this compares with your industry average; could you be doing better if you innovated, and by how much? Get these questions answered by asking ecoVaro how easy it could be to get on top of your carbon metrics. This could cost you a phone call and a payback on it so rapid it’s not worth stopping to calculate.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Disadvantages of Spreadsheets – Obstacles to Compliance in the Healthcare Industry

Most of the regulatory compliance issues we talked about concerning spreadsheets have been related to financial data. But there are other kinds of data that are stored in spreadsheets which may also cause regulatory problems in the future.

In the US, a legislation known as HIPAA or Health Insurance Portability and Accountability Act is changing the way health care establishments and practitioners handle patient records. The HIPAA Privacy Rule is aimed at protecting the privacy of individually identifiable health information a.k.a. protected health information (PHI).

Examples of PHI include common identifiers like a patient’s name, address, Social Security Number, and so on, which can be used to identify the patient. HIPAA covers a wide range of health care organisations and service providers, including: health plan payers, health care clearing houses, hospitals, doctors, dentists, etc.

To protect the confidentiality, integrity, and availability of PHI, covered entities are required to implement technical policies such as access controls, authentication, and audit controls. These can easily be implemented on server-based systems.

Sad to say, many health care organisations who have started storing data electronically still rely on spreadsheet-based systems. Those policies are hard to implement in spreadsheet-based systems, where files are handled by end-users who are overloaded with their main line of work (i.e. health care) and have very little concern for data security.

In some of these systems, spreadsheet files containing PHI may have multiple versions in different workstations. Chances are, none of these files have any access control or user authentication mechanism whatsoever. Thus, changes can easily be made without proper documentation as to who carried out the changes.

And because the files are normally easily accessible, unauthorised disclosures – whether done intentionally or accidentally – will always be a lingering threat. Remember that HIPAA covered entities who are caught disclosing PHI can be fined from $50,000 up to $500,000 plus jail time.

But that’s not all. Through the HITECH Act of 2009, business associates of covered entities will now have to comply with HIPAA standards as well. Business associates are those companies who are performing functions and services for covered entities.

Examples of business associates are accounting firms, law firms, consultants, and so on. They automatically need to comply with the standards the moment they too deal with PHI.

 

More Spreadsheet Blogs

 

Spreadsheet Risks in Banks

 

Top 10 Disadvantages of Spreadsheets

 

Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry

 

How Internal Auditors can win the War against Spreadsheet Fraud

 

Spreadsheet Reporting – No Room in your company in an age of Business Intelligence

 

Still looking for a Way to Consolidate Excel Spreadsheets?

 

Disadvantages of Spreadsheets

 

Spreadsheet woes – ill equipped for an Agile Business Environment

 

Spreadsheet Fraud

 

Spreadsheet Woes – Limited features for easy adoption of a control framework

 

Spreadsheet woes – Burden in SOX Compliance and other Regulations

 

Spreadsheet Risk Issues

 

Server Application Solutions – Don’t let Spreadsheets hold your Business back

 

Why Spreadsheets can send the pillars of Solvency II crashing down

?

Advert-Book-UK

amazon.co.uk

?

Advert-Book-USA

amazon.com

 

Project Management

In a cutthroat market, where the competition is constantly on the attack to break into your market share, implementing a project-based system can give your organisation the necessary tools to be more efficient and agile.

However, rapidly changing consumer demands, technologies and other factors make it ever more difficult to generate a strategic advantage from projects, let alone develop one. Also since a large organisation can easily end up having to manage multiple projects at the same time, the new management paradigm can appear too complex.

What your company really needs is the expertise that can guide you starting from conception and planning, down through procurement and execution in order to maximise whatever resources you have. Each move must be well thought out so that there are clear goals and objectives as well as methods to achieve them.

Programme Management

Are you running multiple projects pointing to an overall strategic direction? Then you’ll need more than just a “scaled-up” version of project management to make sure every component’s work effort is well coordinated to achieve your enterprise’s desired outcomes.

Through our expertise in programme management, we’ll work with your stakeholders, executives and clients to achieve the following:

  • Design a well-articulated management structure and clearly define decision-making roles & responsibilities – This will ensure decisions are made rapidly with zero to minimal overlapping issues and to promote a unified, well-synchronised advance towards the common objective.
  • Set objectives then make sure they are met by guiding your key personnel in coordinating activities across projects.
  • Design or utilise existing financial models such that they adhere to your enterprise’s financial policies.
  • Develop procedures for reporting expenditures specific to the programme.
  • Establish the programme infrastructure, including
    • The appropriate technical environment and tools (e.g. hardware, software, communication, and other IT-related items)
    • IT staff and administrators
  • Evaluate your enterprise’s current IT architecture to determine whether it will suffice to achieve your objectives. If it doesn’t, propose options you can take to meet what is required.
  • Plan out activities that should take place in different levels in the organisation.
  • Implement a periodic review of the programme progress as well as of interim results to ensure everything is aligned with the strategic outcome.

Programme and Project Reviews

Whether we’ve helped you set up your programme or you did it on your own, time will come when you’ll need to know whether everything is going as planned. If it appears like the entire programme is going smoothly, chances are, something’s going awfully wrong somewhere. Remember, even the most well-planned projects and programmes are still under the mercy of unforeseen variables.

We’ve got highly specialised reviews for either projects or an entire programme. We’ll be able to provide you answers to questions like:

  • Are all projects aligned with the programme’s intended direction?
  • Are the people working on your projects as focused with the business rationale as they have been with meeting deadlines and utilising resources?
  • Where are your risks and exposures? How can they be remedied?
  • Is the project viable at all?

We understand how your staff would want to function normally as quickly as possible. Rest assured, our programme and project reviews are conducted swiftly and efficiently so that both interruptions and oversights are brought to a minimum.

After we’re done, you can expect a detailed quantitative assessment of your programme and/or projects’ status.

Basically, we’re not here to find mistakes; we’re here to help you find ways to correct them. If a project rescue is required, we’ll be the first to lend a hand.

Project Rescue

Believe it or not, many of our clients approached us not before or during their project’s planning stages. But rather, after having gone through sloppy execution, when they end up losing control. In other words, we’re usually at the receiving end of the distress signal, after they’ve punched the panic button.

While obviously this isn’t the ideal time to seek the aid of any expert because it means you’ve incurred unnecessary losses already, all is not yet lost. If the appropriate remedial actions are taken in a timely manner, you can still achieve highly acceptable end results.

In fact, in most of our experiences with project rescue operations, we’ve been able to put projects back on track – just the way the planners wanted them to be. We’ll also help you devise airtight strategies to prevent your project from going astray again.

At the end of our project rescue,

  • You’ll regain complete control
  • Milestones will be reached as planned
  • Requirements will be accomplished, and
  • The project will be realigned with ideal business directions

Project Governance Processes

Constructing a firm underlying structure is essential in any organisation. So before we’ll institute project management, we’ll do the following first.

  • Set up a PMO or Project Management Office to ensure, among others, that
    • Utilisation of facilities, budgets, technical support and other resources will be well coordinated
    • Work products can be tracked and reviewed
    • Issues regarding methodology and processes will be given appropriate attention
    • Training can be organised
    • Project management discipline be instilled in the IT department
  • Establish a steering committee to oversee the implementation of IT and business strategies
  • Fill up slots for a project manager, IT executive and a business sponsor and define the roles of each
  • Infuse project management practices to all affected units of the enterprise

Establishing PMOs, steering committees and other management structures is the easy part. Many organisations spend so much in order to create the structures related to project management, only to find out later that the effort has been all for naught. That’s why we won’t end there. Our objectives will therefore include the following:

  • To plant and cultivate an environment appreciative of project governance i.e. one that does not project it as just a bunch of bureaucratic processes and protocols.
  • To establish an organisational culture that starts at the top.
  • To make everyone involved understand that the power of project governance still lies in the hands of those who will ultimately implement it.

A project-driven enterprise is never propelled by a single project. Since multiple projects require a more complex governing structure, you’ll need to understand the intricacies of programme management.

Ready to work with Denizon?

Contact Us Today