What does GDPR mean for Business Continuity Planning (BCP) Leaders?

24 October 2017

Our systems, records, planning and our plans often contain personal information, allowing us to reach our people quickly and use individuals and teams to respond to incidents and crises. It may also include other information such as assets tied to individuals and teams, and so on. Planning has long been subject to Data Protection regulation, but the wider remit and definitions within the General Data Protection Regulation (GDPR) are something you will need to look at, to check your planning systems and documents - and the way you handle them - will continue to conform under the new rules.

To comply, organisations will have to review their approach to data and privacy management across the board. This includes thinking through how we manage data within business continuity, crisis and resilience planning. We suggest there are four key areas that planners might want to focus on:

  1. Under GDPR anything that could identify a person is subject to regulation. This might include their job title, contingency role(s), staff number, asset numbers or IP address - for example - in addition to their name and phone number.
  2. A much clearer requirement to gain consent to store and use personal information. Some of the wording of previous legislation could be seen as interpretable. However, GDPR is clear that data must be freely given for specific, informed and unambiguous purposes, and a clear indication of agreement will be accepted as proof that this was obtained - and this cannot be replaced by, for example, silence from the subject while the data is managed.
  3. There is a requirement for “privacy by design”. The new regulation places additional burden on organisations to make sure that the way that information is captured, stored, accessed and shared delivers what they term “privacy by design”. This applies to methodology along the data capture, storage and use process, be it using IT systems or other tools. One example is you need to consider how you ensure that information is only available to those who need it.
  4. Breaches may require crisis management response. GDPR has more stringent requirements and penalties, so breaches have the potential to deliver greater damage. Those of us who exercise crisis and major incident management teams may choose to include this style of scenario in crisis management exercise planning to enhance confidence among those required to respond.

What else has changed?

 There are other things worth knowing from an organisational perspective. These include:

  • In terms of compliance, the onus has shifted from the accusing party to prove non-compliance of the organisation, to instead require the organisation to prove compliance with regulation.
  • Breaches that are deemed to be high risk have to be reported by the organisation’s data controller within 72 hours.

 You should also note that your organisation should have someone who has taken on the responsibility of Data Controller. It’s likely they are also your first port of call for any breaches or potential breaches, to make sure the damage from any actual breach is minimised.

So… does this mean that people who won’t give their BCM planning their mobile number really don’t have to now?

In essence, we don’t believe anything has changed here. The balance between data held for legitimate business interests, our duty of care to our staff and each person’s right to privacy remains something we have to manage well. Clear purpose and proper safeguards have always been vital and this will not change. We strongly suggest you consult your Data Controller regarding any approaches you use, or are considering using, if you need advice to ensure they meet the regulation and management needs.

 These are just some of the issues to think about ahead of implementation next May. Please do get in touch if you’d like to discuss any of these issues.


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated and will not appear until the author has approved them.