In our previous blog, we discussed the four key areas of the General Data Protection Regulation (GDPR) and asked “What does it really mean for your organisation?” With a looming launch date of 25th May 2018, our closing advice was – don’t leave it to the last minute or chance.
Although GDPR is a huge data management undertaking, compliance needn’t be an insurmountable challenge. So, in this article we’ve summarised the steps an organisation needs to consider to ensure it does comply.
If you’re not sure where to start, consider the steps below. Addressing these issues will help put your organisation in a better position to comply with the requirements of the Regulation.
1. Data Protection Officer
Do you need one? If you’re a public authority then you’re obliged to appoint one but many private sector organisations will require one too. If you carry out regular or systematic monitoring of data subjects or you process large quantities of the special categories of personal data, you’ll need to appoint a Data Protection Officer (see Article 9(1) for details of the special categories).
Even if you’re not obliged to appoint one, there’s nothing to stop you doing so. The role needn’t be full-time. Designed to guide and support your organisation, the duties could be attached to the role of an existing employee or contracted out. Regardless of how you choose to manage this requirement, it is essential that your Data Protection Officer is a subject matter expert, has direct access to your board and is able to liaise with the regulatory bodies on your behalf.
2. Train your staff
People are the one of the biggest risks you face in terms of failure to comply. Training staff helps them understand the organisation’s responsibilities and reduces the chances of them unwittingly doing something which will result in a data breach. Once all your staff are onboard and understand what they need to do, you’ll be in a better position to ensure compliance is built in to day-to-day processes and isn’t seen as an additional burden.
3. It’s got to be fair
You’ll probably need to update your fair processing and privacy notifications to customers and maybe even your staff. Review whether or not the information you provide to individuals is explicitly clear. If you do something with people’s data which they cannot clearly ascertain from the information you provide then you’ll need to make some changes and let them know.
Ensure you put in place a process for regularly reviewing and if necessary updating your fair processing information. It must reflect what you’re doing now, not what you might have been doing five years ago.
4. With your permission
Consent is a key feature of the new Regulation. Whilst it has always been important, the new Regulation is designed to ensure you gain consent for every purpose (when you rely on it as the condition for carrying out processing). Consent needs to be opt-in (not opt-out) and you cannot present pages of unpalatable information and force customers to agree when the reality is they will neither have read nor understood the conditions and don’t genuinely agree. The key consideration here is that consent must be freely given.
Don’t forget, individuals have the right to withdraw their consent at any time. If someone withdraws their consent, unless you have another legal ground on which you can continue processing the data, you’ll have to stop.
5. Another legal basis
If you can’t rely on consent for processing some or all of your personal data, you must find another legal basis on which to carry out your processing. Aside from consent, the Regulation sets out the following bases:
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject (unless you’re a public authority, in which case you cannot rely on this condition).
Necessity of processing is a key theme throughout. Collecting and using nice-to-have or just-in-case information isn’t an option. The Regulation contains additional requirements if you’re processing special categories of data (see Article 9(2)(a) to (j)).
If you cannot meet any of these for the personal data you’re processing, then the particular activity has no legal basis and cannot continue.
6. Privacy impact assessments
Whilst privacy impact assessments (PIAs) have been a recommendation from the Information Commissioner’s Office for several years, they’re now mandatory for processes and systems processing high-risk data. For many large organisations one of the key ways of determining whether or not a process or solution will present a high risk to the rights and freedoms of data subjects is to carry out a PIA. You should consider having in place a means of standardising these into your assurance processes.
7. Forget me
The right to be forgotten (Article 17) is perhaps the new data subject right causing most discussion. It’s easy for organisations to collect data about individuals but how will you go about forgetting someone? If you are required to action a request for data removal under this right it’s essential that you are able to remove the data from all sources where you hold it. This includes backups. It is wise to develop a process now to ensure you are able to action such requests
8. Review and update agreements
Data sharing and processing agreements you have or are party to are likely to reflect current data protection law. The legal basis you are currently using for these agreements may change or cease to exist.
Many agreements will contain liability conditions designed to reflect the level of risk associated with storing and processing activities under the current legislation. It is essential to review the agreements you have in place and take time to amend these to reflect the requirements of new Regulation. Failure to do so may mean you run the risk of you sharing or processing data illegally, ultimately risking a significant financial penalty.
9. Secure IT (and manual data too)
Providing adequate protection for the data you process is essential for compliance with the Regulation. Of course, it’s entirely up to you to determine what you consider adequate but data subjects expect that their information will be held in ways which it cannot be accessed by those without appropriate authority. Physical and procedural security controls will be just as important as technical ones.
10. Map your data flows
If you don’t know what data is going where, you’ll struggle to comply with the requirements of the Regulation. Mapping your data flows provides a clear picture to your organisation of how data are travelling around, helps you identify abnormalities or non-compliances with your policies and procedures and take facilitates your taking appropriate steps to manage information risk.
Preparing for the GDPR? Ascentor can steer you through the GDPR maze
This is your GDPR action plan, produced in one week. It’s a four-step process that will arm you with the knowledge to make business decisions regarding improvements and related resources.
Get our GDPR checklist download
The tips in this article are also available as a free PDF download. As well as our own resources we’ve also provided some helpful advice from the Information Commissioner’s Office (ICO). No email is required.
For further information
If you have found this article interesting, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter.
If you’d like to discuss the topic of GDPR and data protection in more depth or any aspect of IA and cyber security, please contact Dave James at Ascentor.
This is a guest blog for Ascentor, written by Arianne Kitchener LLM.