In part 2 of our series of articles on GDPR, Alex Bailey discusses how to get started on the journey of preparing for it.
That date of 25th May 2018 is getting ever closer! By now you should be well underway with your implementation plans, data flow analysis and documentation.
No? You haven't even started yet? You are certainly not alone. Many UK businesses, seem to be leaving it rather late to get their GDPR implementation projects up and running. There's a lot to get done between now and May and you could find you are breaking the law if you are not ready in time.
The 12 Step Approach
It is well known that every journey starts with a single step. Unless you have conciously made the first step on the road to GDPR already, you need to make that right now. The deadline of 25th May 2018 will be here very soon and you may well have quite a lot more to get done by then than you currently realise.
The Information Commissioner's Office (ICO) has described a great 12 step approach to preparing for GDPR. In this article, I'll take you through a summary of the process.
STEP 1: Creating Awareness
This is that first all-important step in the journey. You need to ensure that the decision-makers in your business are fully aware of the coming changes to the laws governing Data Protection. Your business must have board-level understanding of its legal responsibilities and a top-level commitment to implementing appropriate policies and procedures right through the business. Directors and management must appreciate the impact, time, cost and staff training requirements that may be involved and fully support the process of change.
STEP 2: Know The Information You Hold
Unless you know what personal data you have, you cannot possibly know whether you are managing it appropriately, legally and securely. With today's distributed IT systems, cloud services and the low cost of very large disk storage, most businesses have data spread all over the organisation. Personal data can be on desktop and laptop hard disks, mobile devices, server file shares, databases, third-party file share services, backup systems, removable media, etc. Remember that 'personal data' is any information that may be used to identify a natural person, whether stored digitally or on paper.
So the second step involves creating an itemised inventory of what data you have, where it came from and where it is being processed and stored. Then when this is done, you need to document the flows of data that pass through the business operations until finally, you define the retention and destruction procedures.
We shall go into a lot more detail about this auditing process in a future article.
STEP 3: Communicate Privacy
You will need to review and update all your public notices and policies on safeguarding privacy. So the third step is to list all those places that you have such statements and notices. For example, your web site and your written Terms and Conditions and staff handbook. Then you must review and adjust them accordingly to ensure that they clearly communicate your policies and procedures in line with the new laws.
STEP 4: Understand the 8 Rights of the Individual
GDPR ensures 8 rights of the indivual citizen of the EU. Everyone will have the right to be informed about the personal data that's held on them, the right of access to that data, the right to rectification of errors, the right to erasure of their data, the right to restrict processing, the right of data portability, the right to object amd finally, the right not to be subject to automated decision-making and profiling.
STEP 5: Consider How You Will Implement Subject Access Requests
In order to comply with the 8 rights of the Individual, you will need to deal with Subject Access Requests (SARs). When a person who may be the subject of personal data that you hold makes a formal request to see that data and perhaps then asks for it to be corrected or deleted, you must do so in a no-nonsense timely manner and in most cases you cannot charge for this service. Consider how you are going to publish your request procedure so to make it accessible, then you need to think about how the data is retrieved and provided to the requestor and how you are going to process any subsequent updates to the data.
STEP 6: Ensure You Have Legal Basis for Processing
The GDPR is not simply about the security of the data you are processing. That is only one aspect of protecting personal data. Data Protection starts by asking why you need this data in the first place? How you have obtained it? What are you going to do with it? Where will it be stored and for how long? Who are you going to share it with and why?
For all the items of information you have identified in the inventory you did in step 2, you need to be able to justify and document the answers to these questions. You must explain your 'lawful basis' for processing in your privacy notices and when responding to Subject Access Requests.
The lawful basis for processing personal data will in most cases be one of 6 specific categegories (Consent, Contractual, Legal Obligation, Vital Interests, Public Tasks or Legitimate Interests).
Sensitive Personal Data (eg. medical or employment records) has 10 categories of lawful basis.
STEP 7: Manage Consent
Following on from step 6, if your legal basis for processing is that of 'consent', the consent you obtain from subjects must be freely given, informed and unabmbiguous. They must be asked to opt-in and have the reasons for hold and processing the data explained.
You must obtain consent for each item of data that you are collecting and cannot simply ask them to tick to consent at the bottom of a list of data item types on a long form. It needs be separate from other Terms and Conditions. Individuals must be able to withdraw their consent at any time in the future and you need to be able to provide a procedure for doing this.
So you have to manage the evidence of consent you have been provided and be able to audit those records.
In cases where you already have consent under the Data Protection Act 1998, it isn't necesary to re-seek that for the GDPR, unless it is unsufficient.
However, if you do not have consent from a data subject on the date when the GDPR comes in, you must stop processing that individual's records and delete all personal data that you hold about them, in order to avoid breaking the law . This is a very important point to note.
Consent is a particularly complex topic and the ICO has published a 39 page guide to Consent for GDPR compliance.
STEP 8: Identify if you Have Any Control of Children's Data
The GDPR has specific for control and processing personal data when the subjects are children under the age of 16. Verifiable consent must be obtained from the parent or guardian. This is particularly important if you are providing commercial or social networking services to children.
In such cases, privacy noticies must be written in a language that children can understand.
STEP 9: Document Procedures for Dealing with Data Breaches
As we've all seen in the news lately, data breaches happen far too regularly. Unfortunately it is necessary to plan for when this might happen to you, not if it might happen. Even with good tight technical measures for security, personal data may leak out of your control through a disgruntled employee or a third-party service provider's errors.
You must establish you procedures for detecting, evaluating data breaches and limiting the potential damage as quickly as possible. The GDPR enforces a legal obligation on data controllers to inform the ICO within 72 hours of a data breach. Furthermore, if it established that the subjects whose data has been exposed might suffer damage as a result, they must be informed as well.
Remembering that paper records are equally as important to guard as electronic ones, consider how you would deal with a break in to your filing room. Would you actually be able to tell what had been exposed or copied? How would you know which data subjects you need to inform?
This is a great time to think about digitalising and scanning those old paper-based systems. It is a lot easier to control access and manage electronic records.
STEP 10: Adopt the Principles of Data Protection by Design
'Privacy By Design' is a formalised framework for the protection of privacy that was originally developed in the 1990s by the Information Commissioner of Ontario and is now adopted globally. It lays out 7 fundamental principles that puts privacy considerations at the heart of new systems designs.
The Infomation Commissioner's Office in the UK recommends taking a 'Data Protection By Design' approach when embarking on new projects involving data protection considerations.
Over the coming months, you will see a lot of mentions of Privacy Impact Assessments (PIA) or Data Protection Impact Assessments (DPIA), as the GDPR calls them. These are techniques and tools to identify and reduce privacy and data protection risks.
The GDPR mandates a DPIA be conducted where data processing "is likely to result in a high risk to the rights and freedoms of natural persons". This is mostly relevent in cases of automated profiling, data relating to criminal convictions and offences, systematic monitoing of a public area.
STEP 11: Assign a Data Protection Officer Role
Companies with 250 employees or more and those carrying out large-scale data processing operations will have to appoint a dedicated Data Protection Officer.
However it is highly recomended that all businesses assign this role to a board-level Director or Partner. Data protection is a vital responsibility in the operation of all businesses today and there needs to be a top-down approach to adopting the requirements and responsibilities through strong management and appropriate policies and procedures.
STEP 12: Identify any International Concerns
During the analysis of data flows in step 2, you will need to look at all transfers of data you make out of your direct control. Its important to identify where there is a 'trust boundary' between you and your suppliers and business partners.
For example, data backups may well transfer nightly to a third-party storage service. You will need to seek assurances that such service providers are retaining the data physically within the EU area.
The GDPR is concerned with the data protection of all EU citizens wherever that data is being stored or processed.
If your business is esablished in more than one EU member state, you need to determine which particular state will be your 'lead supervisory authority' and abide by their local data protection laws implementing the GDPR.
The GDPR imposes restrictions on transfers of personal data to countries outside the EU, according to the adequecy of legal safeguards that country can guarantee. It also states that no government outside the EU has the legal right to demand access to an EU citizen's personal data.
So finally, you must consider the need and justification for allowing such international transfers and document your decisions.
Of course, all these 12 steps don't actually have to be done in this linear sequence. There are many activites here you you will probably be doing in parallel.
But I hope I've managed to help you see the road ahead a little more clearly.
- Data protection reform
- Preparing for GDPR in 12 steps
- GDPR Self-assessment Toolkit
- Getting Ready for GDPR Checklist
To read the full text of the official GDPR document: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (General Data Protection Regulation)