Previously, we’ve outlined the changes in data protection laws due when the new General Data Protection Regulation (GDPR) comes into force on 28 May 2018. Here, we’ve identified ten areas to examine in order to comply, plus some FAQs.
Please note that this is an overview, not a step by step guide. As each step is quite lengthy, you will need to push on with changes as soon as possible to be ready for next May.
Data audit – document what personal data you hold (employee, client/customer, supplier etc.), where you and your employees hold it, where it came from and who you share it with.
Code of conduct – trade associations and representative bodies may like to draw up a code of conduct covering topics such as fair and transparent procession, information provided to individuals, and data transfers outside the EU.
Data protection impact assessments – use for large scale processing activities, new technologies or where there is a high risk to the rights and freedoms of individuals.
Rights – ensure your procedures comply with new rights of individuals and establish how you will supply/delete data on request via your systems and processes.
Consent – review how and where consent is sought, obtained and recorded. Consent must be a positive indication of agreement to personal data being processed; a pre-populated tick box is not acceptable, for example.
Children – a parent or guardian’s consent is needed to process a child’s data lawfully. In the UK a child is likely to be defined as anyone under the age of 13. How will you establish age, communicate this consent process to children and verify consent?
Third party – any third party who uses your data on EU citizens must also comply with the regulations. Ensure you know who is using your data and for what purpose. Beware that your contractor may sub-contract the job.
Breaches – what will you do to detect, report and investigate a breach?
International – map out where your organisation makes its main decisions about data processing. This will determine which country is your supervisory authority i.e. who will take the lead when investigating a complaint which crosses country borders.
What would be a legal basis for processing data?
Processing conditions include consent of the data subject, necessity for the performance of a contract and compliance with a legal obligation.
How many people in the organisation will GDPR affect?
A great many people in your organisation will handle personal data in one way or another, so a training programme for all staff would be helpful. Outline their roles and responsibilities from board level down and be prepared to repeat the messages more than once for it to sink in.
How do we keep control of what third parties (processors) are doing with our data?
Review your contracts now, and look at procedures to ensure they are compliant. This includes providers outside the EU who may not have realised that the regulation applies to them. Cloud services might be used for HR, payroll, document sharing and other purposes, and the terms and conditions that you agreed to may reserve the right to use the data for secondary purposes and need revising or terminating.
How can we keep data safely stored under the new rules?
Controllers must meet individuals’ ‘reasonable expectations’ of data privacy by implementing measures that meet the principles of data protection by design and data protection by default. These include data minimisation, and making data less accessible by devices such as encryption or pseudo-anonymisation.
How can we demonstrate that our company has taken steps to comply?
If you have followed the steps above and can clearly show how you obtain, process and store personal data within the GDPR, it should demonstrate your company’s intent to comply.
Where can we find out more information?
The Information Commissioner’s Office (ICO) has many pages of its website dedicated to data privacy and data protection reform. It is part of the Article 29 Working Party which is developing guidelines on some of the key aspects of the law. They plan to publish guidance on contracts and liability and consent early in 2017. Reading some of their audit overviews will give you an idea of the practical measures that organisations have been required to apply.