GDPR is only one year away, and the clock is ticking to make sure your business is compliant. While there are many similarities between the existing Data Protection Act, there are a few distinct enhancements and additions that are vital to make before GDPR takes effect. It is essential to start planning your approach to compliance as early as you can, and to gain 'buy in' from key people in your organisation. You may need, for example, to put new procedures in place to deal with the GDPR's new transparency and individuals' rights provisions. In a large or complex business, this could have significant budgetary, IT, personnel, governance, and communications implications.
GDPR also places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance with all the areas listed in this document will require organisations to review their approach to governance and how they manage data protection as a corporate issue.
Note that some parts of the GDPR will have more of an impact on some organisations than on others (for example, the provisions relating to profiling, or children's data), so it would be useful to map out which parts of the GDPR will have the greatest impact on your business model and give those areas due prominence in your planning process. For help outlining the best approach for your company, please get in touch. OryxAlign are offering a GDPR Readiness Assessment which will help get you on the right track towards full compliance.
There are 12 steps that you can take now to prepare your company for GDPR:
[feature text="AWARENESS" long="You should make sure that decision makes and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact that this is likely to have and identify areas that could cause compliance problems under the GDPR. Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You may find compliance difficult if you leave your preparations until the last minute."]
[feature text="INFORMATION YOU HOLD" long="You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation, or at least within particular business areas.
For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. You won't be able to do this unless you know what personal data you hold, where it came from, and who you share it with."]
[feature text="COMMUNICATING PRIVACY INFORMATION" long="You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
When you collect personal data, you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under GDPR, there are some additional things you will have to tell people. For example, you will need to explain your legal basis for processing the data, your data retention periods, and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. Note that the GDPR requires the information to be provided in concise, easy-to-understand and clear language."]
[feature text="INDIVIDUALS' RIGHTS" long="You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format. If you are geared up to give individuals their rights now, then the transition to GDPR should be relatively easy. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make decisions about the deletion?
The right to data portability is new. This is an enhanced form of subject access where you have to provide the data electronically and in a commonly used format."]
[feature text="SUBJECT ACCESS REQUESTS" long="You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information. The rules for dealing with subject access requests will change under the GDPR. In most cases, you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 40 days. There will be different grounds for refusing to comply with subject access request - manifestly unfounded or excessive requests can be charged for or refused. If you want to refuse a request, you will need to have policies and procedures in place to demonstrate why the request meets these criteria.
You will also need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected. If your organisation handles a large number of access requests, the impact of the changes could be considerable, so the logistical implications of having to deal with requests more quickly and provide additional information will need careful consideration."]
[feature text="LEGAL BASIS FOR PROCESSING PERSONAL DATA" long="You should look at the various types of data processing you carry out, identify your legal basis for carrying it out, and document it. Under the current law, this does not have many practical implications. However, this will be different under GDPR because some individuals' rights will be modified depending on your legal basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing. You will also have to explain your legal basis for processing personal data in your privacy notice and when you answer a subject access request."]
[feature text="CONSENT" long="You should review how you are seeking, obtaining, and recording consent and whether you need to make any changes. Like the DPA, GDPR has references to both 'consent' and 'explicit consent.' Consent has to be a positive indication of agreement to personal data being processed - it cannot be inferred from silence, pre-ticked boxes, or inactivity. If you rely on individuals' consent to process their data, make sure it will meet the standards required by GDPR. If not, alter your consent mechanisms or find an alternative to consent. Note that consent has to be cerifiable and that individuals generally have stronger rights where you rely on consent to process their data.
The GDPR is clear that controllers must be able to demonstrate that consent was given. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail."]
[feature text="CHILDREN" long="You should start thinking now about putting systems in place to verify individuals' ages and to gather parental or guardian consent for the data processing activity. For the first time, GDPR will bring in special protection for children's personal data, particularly in the context of commercial internet services such as social networking. In short, if your organisation collects information about children - in the UK, this will probably be defined as anyone under 13 - then you will need a parent of guardian's consent in order to process their personal data lawfully."]
[feature text="DATA BREACHES" long="You should make sure you have the right procedures in place to detect, report, and investigate a personal data breach. Some organisations are already required to notify the ICO (and possibly some other bodies) when they suffer a personal data breach. However, the GDPR will bring in a breach notification duty across the board. This will be new to many organisations. Not all breaches will have to be notified to the ICO - only ones where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach.
You should start now to make sure you have the right procedures in place to detect, report, and investigate a personal data breach. Note that a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself."]
[feature text="DATA PROTECTION BY DESIGN AND DATA PROTECTION IMPACT ASSESSMENTS" long="You should familiarise yourself now with Privacy Impact Assessments (PIAs) and work out how to implement them in your organisation. PIAs can link to other organisational processes such as risk management and project management. You should start to asses the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally?
It has always been good practice to adopt a privacy by design approach and to carry out a privacy impact assessment as part of this. A privacy by design and data minimisation approach has always been an implicit requirement of the data protection principles. However, the GDPR will make this an express legal requirement."]
[feature text="DATA PROTECTION OFFICERS" long="You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation's structure and governance arrangements.
The GDPR will require some organisations to designate a Data Protection Officer (DPO), for example public authorities or ones whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to make sure that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support, and authority to do so effectively."]
[feature text="INTERNATIONAL" long="If your organisation operates internationally, you should determine which data protection supervisory authority you come under. The GDPR contains quite complex arrangements for working out which data protection supervisory authority takes the lead when investigating a complaint with an international aspect, for example where a data processing operation affects people in a number of Member States. Put simply, the lead authority is determined according to where your organisation has its main administration or where decisions about data processing are made. In a traditional headquarters (branches model), this is easy to determine. It is more difficult for complex, multi-site companies where decisions about different processing activities are taken in different places."]
Guidance for this article was taken from the ICO. For further information, please get in touch, and we would be happy to answer any questions you might have.