From private soldier to Major as second-in-command of the Royal Gibraltar Regiment, Gerard Fitzgerald had a career in the military that took him around the world. Now, as Deloitte Business Resilience Manager with an accumulation of experience of clients requesting GDPR assistance, Gerard Fitzgerald is the perfect person to advise on the upcoming EU General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018.
“At 17.5 I became a reservist in the Territorial Army,” Gerard says “then after a short period working in a bank I joined the Gibraltar Regiment at the age of 20.” Promoted through the ranks from a junior NCO to Regimental Sergeant Major, a position he also held in Afghanistan at Camp Bastion in Helmand Province as the Garrison Sergeant Major, Gerard was later offered the opportunity to become a commissioned officer, going on to attain the position of Captain and finally, as Major. “I got an extension, so I actually retired as second in command of the Regiment – from private soldier to second in command is quite a story to tell in itself,” he says proudly.
Having qualified in project management and attaining two masters degrees before leaving the military in an attempt to prepare for civilian life, Gerard became self-employed and was involved in the running of several projects, one of which was for Deloitte attaining ISO 27001 (information security management) certification. “It went very well and we managed to certify in October 2017, so Deloitte, along with all the global Deloitte offices, is now certified,” Gerard confirms.
Gerard, now in full time employment with Deloitte, since January 2017 leads with security and business resilience related projects. “GDPR was already being mentioned in the background because it complements ISO27001 as it relates to information security and, as we were trying to develop a service line that includes business resilience, GDPR fitted in nicely.”
What is GDPR?
Set to replace the Data Protection Directive, the GDPR is directly applicable to each Member State and aims to achieve a greater degree of data protection harmonisation across the EU. “It is about ensuring all businesses and organisations have set up the necessary framework to implement changes to their existing privacy processing methods, to ensure our data is kept safe, and protecting us from privacy and data breaches,” Gerard explains. “GDPR is huge,” he continues, “but the key message is that it is a bit of an unknown at the moment regarding, recognising the full effect GDPR is going to have on businesses.”
The GRA (Gibraltar Regulatory Authority) will, as the Data Protection Authority, be the supervisory authority here in Gibraltar. “For companies that have business within other EU countries or in the UK it will be the supervisory authorities of those countries, that will dictate how serious the actual offence is,” this at times, might see, the coordination between supervisory authorities where data sees cross border transfers between jurisdictions”, Gerard clarifies.
The biggest changes to GDPR are the added rights that have been included things like biometric data, genetic data, sexual information including orientation and preferences, and the right to data subjects erasure of data (right to be forgotten), to mention a few. “Even the possession of a photograph has implications as to why it is going to be used and how it is going to be handled,” Gerard says. “If it is going to be used as photographic ID then it is down to “purpose limitation”, so companies who might not be adequately poised to secure their data in a way that guarantees security and confidentiality of such data and will need to look at that.”
Who will GDPR apply to?
Any organisation which processes personal data is responsible for keeping that data safe whether it belongs to clients, staff or an individual. This will include storage, handling of data in a confidential manner and keeping it secure from potential intruders. Firms of over 250 employees should consider employing a Data Protection Officer (DPO). This can be an external DPO or could be an individual appointted from within the company. This person is responsible for ensuring that a business collects, processes and secures personal data in accordance with the new GDPR.
How should companies in Gibraltar prepare themselves to become compliant? Gerard’s advice is not to ignore GDPR. “Get somebody within your organisation to lead with it and ensure they receive training,” he says. Something that Gerard wants to stress is that GDPR is a boardroom level issue. “It needs to be team led from the top down and that delegation needs support and resources, boardroom frustrations or resistance will not lead to compliance.” he says.
“Under current Data Protection Legislation, as long as you are registered with the supervisory authority and as long as you are securing data and making sure that you arn’t pushing it out without people’s consent, you were generally compliant with the legislation,” Gerard states.
“Now you need to show you have fully considered the data you hold, , what processes you have got in place and what it is that you are processing as far as the data subjects go.”
“Your business might be audited at some stage and you need to prove that you have taken everything into account that the GDPR tells you to as part of the GDPR accountability framework,” Gerard confirms.
The regulation has some significant consequences in store in cases of non-compliance. Failure to comply with the GDPR will lead to heavier punishments than ever before. These include fines of up to 4% or €20 million whichever is the greater amount of organisational global turnover. Not all shortfalls are treated equally and some fall in to a 2% or €10 million category. Key to your defense is how you have dealt with and implemented the requirements of the GDPR. “A small organisation will be unlikely to face the €10 or €20 million bracket fine, this is the maximum fine that can be imposed for the most serious infringements, e.g. not having sufficient consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines but larger organisations , could be liable for massive fines.”
“BREXIT is not a get out clause,” Gerard adds. “For all organisations, being out of the EU will not mean GDPR can be ignored,” he says, “and if you are offering any goods or services within the EU or monitoring behaviour of EU data subjects, GDPR will continue to apply.”
“GDPR is coming, so brace, brace, brace,” Gerard says, “look at where you are processing data within your organisation, why you are collecting it, what you are doing with it and most importantly, make sure the data subject knows.