A Guide to Surviving the GDPR: Part 1
With the frenzy being whipped up by the media, it’s probably pointless asking you not to panic about the GDPR but the sensible response is to substitute blind terror for carefully considered action. Over the next two articles we discuss the steps that we recommend you take to start working towards compliance before next May.
Awareness: Few of us can remember the introduction of new laws that were heralded with such apocalyptic tones as the GDPR, so unless you’ve saved-up all your flexi-time and annual leave and spent it on a package holiday under a rock for the past few years, you are probably aware of the new legislation and its 25th May 2018 enforcement deadline.
If your business is yet to act, it’s time to gather the relevant personnel: Directors, Partners, Executives or whoever is required to set up a data governance team to steer the organisation towards compliance in the remaining timeframe. If you are the sole member of your business, it’s high-time to take a look in the mirror and have a stern word with yourself about getting GDPR compliant.
Assign Tasks: Once you have all agreed that there is no point sitting still while the building burns around you, it’s a necessity to appoint the appropriate people to lead the business to GDPR compliance. If you have a Data Protection Officer (“DPO”), it’s a bit of a no-brainer as to who will lead the project but if you don’t have any staff with accountability for data protection, now is the time to allocate responsibility for specific tasks across the organisation. The range of individuals will be entirely based on the size of your business. In a large organisation, the key personnel will probably come from the Legal, HR, IT and Security teams but the scope is specific to how data is used within the business. In a small operation, the responsibility may fall upon one individual alone.
Aside from limitless coffee, these intrepid individuals will need support from all areas of the business and especially from the executive team. It’s a smart idea to appoint a sponsor from the highest level of management to ensure that all the requirements identified by this team are furnished with the budget and resources needed to incorporate all actions across the entire business. An under-resourced talking shop is a waste of everyone’s time and certainly won’t get you any closer to compliance.
The fun doesn’t stop on May 25th 2018: If it isn’t already the hottest topic around the water cooler at work, GDPR certainly needs to be on the agenda of every management meeting between now and next May. When appointing the team, think about who would be suitable for maintaining the ongoing responsibility once the initial compliance project has been completed.
It cannot be stressed highly enough that the entirety of the GDPR is focussed on ongoing compliance. A one hit, smash and grab for compliance won’t cut the mustard. Being the best example of data protection compliance on 25th May 2018 is pointless if those brand spanking new policies and procedures are abandoned by 1st June.
The team involved in installing the project (potentially led by an appointed DPO) will most likely be the individuals to form the ongoing governance team responsible for compliance and escalation of privacy issues within the organisation.
Should I appoint a DPO? The GDPR does kindly provide certainty around whether you need to appoint a DPO in some situations, such as if you are a public authority. It also indicates that organisations which systematically monitor individuals or have large scale processing as their core activity must also appoint a DPO, or if your core activities focus on processing sensitive data.
It may seem like another layer of bureaucracy, but we are some way behind the rest of Europe with our approach to installing data protection experts into businesses. For some years, the German government has required international companies and most other small and medium sized organisations to appoint (the excellently named) Datenschutzbeauftragter (DPO) onto their staff to monitor and advise on data privacy issues within the business.
What’s Sensitive Data? This is term used to describe particular categories of personal information covered in the Data Protection Act 1998. The current categories of sensitive data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, referring to health or sexual orientation or sex life. The GDPR includes the new additions of genetic and biometric data.
If your organisation processes these categories, it is required to demonstrate evidence of an enhanced level of lawful basis for processing and has an increased requirement to run Privacy Impact Assessments and review ongoing privacy policies.
If your core processing activities cover these categories, you are likely to need a DPO and will have to rely on one of the lawful basis for processing outlined in Article 9 of the GDPR.
Requirements of the DPO: The DPO will be required to have “an expert knowledge of protection law and practices” and will be required to monitor and advise on GDPR compliance within the organisation. Businesses can outsource the role or appoint from within.
It shouldn’t be too hard to find willing individuals once you tell them that they can print business cards with the title “Datenschutzbeauftragter” on them, but it’s important to note that they must still have the necessary knowledge and skill. Crucially, there is a requirement for them to maintain independence in their decision making regarding data protection and not let their existing role influence their decisions as a DPO. Equally, it is important that they feel they can challenge the executive management in matters of data protection as they enjoy protection from being penalised or dismissed for performing their role as a DPO.
Follow the data: Once the team is assembled and appropriate (HR approved), the key task at hand is to run a full data-audit. Identify all the personal information that the business holds:
where did it come from (does it have compliant consent attached?);
why do you have it (what lawful basis is it processed under?);
how is it used;
who do you share it with (have data subjects been informed of our sharing practices?);
is it stored securely; and
the conditions under which it is shared, stored or destroyed.
This has to be done across the entire organisation to be effective. Audits are only as strong as their weakest link and a true risk assessment cannot be performed if only half of the picture is produced. From this full-scale audit, you will be in a position to create a full data inventory and decide if you have the requisite lawful basis in place for all the data you acquire and hold. It’s also a good opportunity to consider if you need to update your current systems and databases to allow for efficient and swift location of all the data you may need to retrieve in the event of a data subject requesting access or erasure of their information.
Now you have the team assembled, budget acquired, tasks assigned and data sorted, you’ll be needing a cup of tea and a biscuit. But once you’ve scoffed your garibaldi and downed your beverage of choice, it’s time to consider running the gap analysis, building the project plan and putting the new policies and procedures in place to work towards compliance prior to May 2018. Fortunately, that will be the focus of our next article.
If you would like any advice on complying with the GDPR or our data protection services, please get in touch by emailing firstname.lastname@example.org or calling 01603 339044.
Please note: the content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.