There are not many businesses who haven’t heard of the data protection changes due on 25th May 2018! The General Data Protection Regulation (GDPR) (2016/679) brings data protection legislation into the 21st century digital age, enforcing a risk-based approach on those processing personal data.
With stronger rights for data subjects and tighter controls in areas such as transfers, data minimisation and the security of processing, the GDPR necessitates a review and revision of existing data protection measures and procedures; alongside the development and implementation of new requirements.
Checklists, Toolkits and Templates….Oh My!
The internet is now saturated with organisations offering tools, templates and solutions for GDPR compliance, and whilst many have a place in aiding the implementation of an effective data protection program, buying complete GDPR compliance ‘off-the-shelf’ is a myth!
Using pre-defined data protection policies, procedures and checklists (if developed properly), is a great way of building a compliant data protection regime with effective gap analysis, written procedures and supporting policies. However, these will not negate the time, effort and resources that organisations must spend on gaining and maintaining compliance with the Regulation.
Steps & Actions for GDPR Compliance
This section is certainly not an indefinite list or complete set of suggested actions; however, it does offer guidance from a range of sources on steps that can aid compliance in, and implementation of the GDPR. Such sources include our own knowledge and experience, the ICO checklists for controllers and processors, the Regulation and other guidance notes and papers.
DPR Compliance Checklist – whether you purchase a checklist, use one of the ICO’s or create your own, utilising a checklist can help identify gaps and ascertain which areas of your data protection program need improvement or are non-compliant. Such actions are only as good as the checklist being used, so make sure that it is complete, compliant and relevant!
- Information Audit – one of the ICO’s fist recommendations for GDPR preparation is to map the personal data flows within your business. Larger organisations can complete an audit in each business area if required, with SME’s often preferring to use one information audit for the whole business. The aim of the data map is to see how personal data flows into, through and out of the business and to document the what, where, who and how of all personal data. Template headings can include: –
- Purpose of data
- Types of personal data
- Where data is located & in what format
- Legal Basis for Processing
- Retention period
- Review Consent & Privacy Notices – previous consent does not need repapering if it complied with the GDPR requirements when obtained; however, if not compliant you should seek fresh GDPR-compliant consent. Mechanisms for obtaining consent should be reviewed and privacy notices updated to ensure that they contain the Article 13 & 14 information disclosures. When reviewing/developing consent mechanisms, the ICO suggest that organisations: –
- Check that consent is the most appropriate lawful bases for processing
- Ensure that consent requests are clear, prominent and separate from any T&C’s
- Give granular options to consent separately to different types of processing (if appropriate)
- Provide name & contact details of your business & any relevant third-party who will rely on the consent
- Explain the right to withdraw consent, note how to do this & make it simple and clear
- Ensure individuals can refuse to consent without detriment & that it is not a precondition of a service
- Have mechanisms for recording and managing consent, recording how & when consent was obtained
- Regularly review consent to check that the relationship, processing and the purposes have not changed
- Online Services for Children – if applicable, you must ensure that you have effective systems and controls in place to manage the consent mechanisms. Consider processes for verifying the age of an individual and if applicable, ensure that you obtain parent/guardian consent to process the data of a child 13 years or under. Privacy notices aimed at children must be concise, clear, easy to understand, easy to access and be reviewed regularly.
- Data Protection by Design & Default – Article 25 refers data protection by default implementing appropriate technical and organisational measures, designed to implement the data protection principles and meet the requirements of the Regulation. Not just a single action, this function calls for organisations to adopt an approach that promotes security, privacy and data protection compliance from the start of projects and at the core of the business. It encompasses data minimisation, processing only that which is necessary, limited retention and restricted access.
- Data Protection Policy – many organisations already have such a policy in place, however, the GDPR will necessitate a revised/new policy covering areas such as data subject rights, the business’s approach to data protection, guidance for employees and third-parties etc. The policy can also extend to include procedures for areas such as secure processing, data minimisation, transfers and disclosures.
- Risk Management – the GDPR takes a risk-based approach and notes that ‘risk should be evaluated on the basis of an objective assessment, [to] establish whether data processing operations involve a risk or a high risk’. Organisations carrying out certain processes and functions are obligated under Article 35 to carry out a Data Protection Impact Assessment (DPIA) to establish if processing is likely to result in a high risk to the rights and freedoms of individuals. Alongside procedures for completing DPIA’s, businesses should have structured risk management policies and procedures as well as a risk register for documenting threats, vulnerabilities, and potential impacts.
- Processing Activities – duplicating some of the data found on an information audit, some organisations may be required to maintain records of their processing activities under Article 30. If obligated, controller records should include: –
- The controller/processor name and contact details
- Details of DPO, joint controller & the controller’s representative (if applicable)
- Purposes of the processing
- Categories of data subjects & personal data
- Recipients (who personal data is/will be disclosed to)
- Transfers of personal data to a third country/international organisation
- Documentation of suitable safeguards regarding transfers
- Envisaged time limits for erasure of data
- General description of the technical and organisational security measures
- Data Protection Officer (DPO) – if you are obligated under Article 37 to appoint a DPO, you should document their duties and ensure that they have the support, resources and autonomy to carry out their role effectively and compliantly. The GDPR requires that a ‘DPO is designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred in Article 39’. In addition, controllers/processors are required to publish the contact details of the DPO and communicate them to the supervisory authority.
- Staff Guidance & Training – a Data Protection Policy can also be a guidance document for staff; however, for employees who are directly involved in the processing of personal data, you should ensure a robust and thorough program for their support and training. Implement procedures to guide staff on how to manage the personal data that you hold and what to do when individuals exercise their rights (i.e. subject access or rectification). Reporting lines and DPO details (if applicable) should be disseminated, with specific data protection training workshops being included in all induction phases, as well as on a regular basis for existing staff or those returning after long absences.
- Data Subject Rights – there are several rights for individuals under the GDPR (some similar to the existing DPA), so having clear procedures and mechanisms in place to allow for the exercising of such rights is essential. Subject access requests, rectifying data, erasure & restricted processing all require a written process that employees can understand and follow. In most cases, requests should be actioned within one month of receipt and be free of charge, with communication being in a concise, intelligible and easily accessible form. Your information audit can be useful for data subject requests in identifying where data is located, in what format and any disclosure recipients.
- Data Portability – this area has new requirements for data protection and in certain circumstances, organisations are expected to have controls and systems for enabling individuals to ‘receive their personal data in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance’. The ICO suggest that businesses: –
- Implement a process that will enable individuals to submit a request
- Ensure that the medium in which the data is provided has appropriate technical measures in place to protect the data it contains
- Ensure that the medium in which the data is provided allows individuals to move, copy or transfer that data easily from one organisation to another without hindrance
- Information Security – this goes hand in hand with data protection and all businesses should review or implement an Information Security Policy. It should seek to cover areas such as data minimisation (i.e. encryption, pseudonymisation), secure storage, transfer and disposal processes, access controls, network & physical security, updates & patch management, remote access and internet use.
- Data Breaches – an area that requires its own policies and procedures; having processes in place to identify, measure, monitor and investigate personal data breaches is mandatory, as is effective incident management. Organisations should seek to develop and implement effective processes to identify, report, manage and resolve any personal data breaches, with dedicated staff training and support being made available. There must also be mechanisms in place to ensure that the mandatory breach notifications to the ICO and appropriate individuals (if applicable) are made.
- Retention Periods – implement or review existing retention policies and schedules so that you can see at a glance why, when and for how long data should be retained (i.e. legal or statutory reasons), and when it must be disposed of. Your retention program should be reviewed regularly with the role being assigned to a specific person/department to ensure compliance and continuity.
- Processor Agreements – where you use third-party processors, it is essential that you have contracts/agreements in place to ensure they understand their obligations and responsibilities under the Regulation. Written processes should inform any data processors about the rectification, erasure and/or restrictions to data; if applicable, you should consider any standard contractual clauses and approved codes of conduct or certification schemes that can assist in the service agreement. Contracts should include certain specific terms, including the processor meeting the applicable GDPR requirements, regular reviews and audits of their service and processes, adequate security & technical measures and effective disposal processes.
- Audits & Monitoring – having effective policies, procedures and controls to ensure data protection compliance is only half the process! Ongoing reviews, audits and monitoring of business functions and systems is essential for effective data processing and security. You should develop audit and monitoring processes that regularly review your data protection and associated policies and procedures for compliance with the Regulation and associated laws and test outcomes to ensure that they continue to be effective.
- Non-EU Transfers – the GDPR enforces an adequate level of protection for any personal data transferred to, or processed by third countries or international organisations. Effective and robust procedures should be developed to ensure that any transfer of personal data outside the EU complies with the conditions laid out in Chapter V of the Regulation. Such conditions include ensuring that: –
- There is a positive adequacy decision by the Commission; or
- There are adequate, documented safeguards and measures in place (i.e. legally binding and enforceable instrument, binding corporate rules, standard data protection clauses)
- Enforceable data subject rights and effective legal remedies for data subjects are available
- Regular audits and monitoring of the documented security arrangements take place
Catherine Roberts, Founder, Know Your Compliance