A Guide to Surviving the GDPR: Part 2/2
Hopefully after completing the steps in Part 1 of our Guide to Surviving the GDPR series (or creating a fantastically detailed plan for tackling those early stages) you will most probably have accumulated a large pile of data (hard-copy, digital or both) containing a seemingly unending volume of personal information. In this article, we discuss the next steps to take when implementing your GDPR compliant privacy strategy.
Spring clean your data: Completing the data inventory and assigning the applicable lawful basis to each item of personal data should help you clear out the ‘dead wood’ and minimise data you no longer require or cannot assign a lawful basis for processing. It’s paramount that you are able to assign a lawful basis for processing to all of the personal information you hold (taking account of any additional conditions required for sensitive personal data). Make sure you run an effective data cleanse to remove any information which is inaccurate or no longer relevant. If you are unsure of the correct criteria for each lawful basis, now is the time to refer to your DPO or seek legal advice.
If you are relying on consent as your basis for continued processing, ensure the consent you have collected is compliant with the new requirements and if not, consider whether it needs to be refreshed.
Mind the gap: Once you have assigned all of your personal data with a lawful basis for processing, you’ll need to create a gap analysis to review the steps required to implement a privacy programme specific to your business.
Think carefully about how the data processing of the business may affect the privacy rights of the individuals whose data is held. Examine your current policies and practices and measure them against the rights afforded to data subjects in the GDPR. Think carefully about your ability to:
- communicate your Privacy Practices (the GDPR stipulates certain information must be provided to Data Subjects prior to collection of information); respond correctly to Subject Access Requests within the allotted timeframe of one month;
- locate all of the information you process and justify why you are processing it. Data subjects can demand that you restrict processing or erase their data in certain circumstances. Be aware of what these circumstances are and how you would handle such requests;
- provide data held on an individual in a computer readable form for porting to another controller; and
- detect and notify the ICO of any data breaches. If the breach represents a high risk to the rights of individuals, you are required to inform the data subject in question.
Identify if you have the capacity and ability to assess how compliant your business is and what needs to be done to work towards GDPR compliance. The ICO website provides a good top-line gap analysis to steer you in the right direction of tasks that need to be undertaken. Now is the time to think about whether you need to outsource the process and what time and resources need to be applied before 25 May 2018 and onwards.
The passing of processor protection: If your business operates solely as a processor, unfortunately your days of sitting on the side lines and watching the mayhem unfold are behind you. The GDPR brings in direct obligations for processors, which will not only require you to implement certain policies and procedures that mirror the obligations of data controllers, but you can also expect to see amendments to existing contracts and the presence of some more meaty obligations from controllers in any new agreements you look to enter in to.
For all the controllers out there, now is the time to review your supplier contracts and ensure they are compliant with the criteria required under the new laws. It’s also very sensible to consider how liability is limited and shared between yourselves and any processors or joint controllers of personal data. Having a contract in place between you and your processors is mandatory under the GDPR and it makes a lot of that you come to an agreement prior to trouble arising with regard to sharing liability and providing indemnities where appropriate.
Change the record: The ICO will no longer require you to register as a controller from May next year, but as is so often the case, every silver lining has a great big, black cloud attached. In this instance, that particular regulatory cumulonimbus waiting to rain on your parade, is the requirement to show ongoing compliance and a big part of that is recording your processing decisions and activities.
Very soon you’ll be sick of the terms ‘accountability’ and ‘privacy by design’ but they are key to achieving adequate data privacy practices. Using only the data you require, building suitable privacy plans and keeping correct records of your activities is just a small part of this. If your business has less than 250 employees, there is some respite from the detail of record keeping required, but providing demonstrable evidence of data privacy actions within the organisation is going to be the best method to help you review your privacy structure and show the ICO that you respect and manage personal data appropriately.
Regardless of how large your organisation is; if your processing presents a likely risk to data subject privacy or your processing is more than occasional or you process sensitive information, you will need to incorporate record keeping into your practices. As you’re probably acutely aware, there are some potentially hefty fines attached for not doing so. Good quality records provide the best method of assessing what is working well and what could be improved in your privacy planning during reviews.
Plug the gaps: Having state of the art encryption, military-grade computer security and a data centre protected by a squad of angry Rottweilers is no good if you haven’t accounted for the legal obligations required under the GDPR. Equally, having a fantastically compliant privacy plan is useless if all of your personal information is kept between a thumb drive and a broken filing cabinet.
Information security and privacy protection are two sides of the same coin and data protection law has always placed a great emphasis on the need to adequately secure the personal information you process. The GDPR is no different and requires the “implementation of appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. There are no specific standards set but adherence to “an approved code…or certification mechanism…may be used as an element by which to demonstrate compliance”. If you are unsure of your current security practices, now may be the time to seek advice from a cyber-security professional.
I love it when a plan comes together: Once the fundamentals have been put in place to provide a compliant privacy structure in your business, the hard work starts (I know, it’s not fair), as we’ve previously mentioned, all of this hard work will be in vain if you can’t maintain and demonstrate an adequate standard of privacy protection moving forward. This will include measures such as:
- building privacy by design into every new data processing endeavour;
- regular review of all of your privacy practices;
- conducting data protection impact assessments whenever your processing practices change which result in a likelihood of high risk to the rights of data subjects (and consulting with the ICO where necessary);
- ensuring staff are trained to integrate your policies and procedures; and
- constantly monitoring the practices of any processors you choose to contract with.
Undoubtedly the countdown to 25 May 2018 is advancing swiftly, but there is still time to address your current privacy practices and be compliant prior to the GDPR becoming fully enforceable. The key now is to turn your awareness of the need to act into effective actions.
If you feel you would benefit from guidance on how best to work towards GDPR compliance, please get in touch by emailing email@example.com or calling 01603 339044.
Please note: the content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.