There is a lot of work to prepare for the General Data Protection Regulations due to come into effect in May 2018 regardless of the size of your enterprise – be it micro, small, medium or large, a commercial enterprise or a non-profit. Our first two articles in this series, looked at individuals’ rights under the GDPR and the obligations on enterprises that need to comply with the new regulations. This article identifies 12 steps you can take now to start preparing for the regulations.
This article is based on the 12 Steps to Take Now guide published by the Information Commissioner’s Office (ICO).
We can help with many aspects of preparing for the new environment which we have outlined at the end of the article. In addition, the ICO will launch a dedicated telephone service on 1st November aimed at helping small businesses prepare for new data protection laws.
The GDPR does not require organisations to register with the Information Commissioners Office (ICO) as is required under the Data Protection Act, but you will be required to maintain documentation to demonstrate compliance. This of course means you have work to do!
The regulations are designed to cover all sizes of enterprise and scope of activities related to the processing of personal data. So not all aspects may be pertinent to your enterprise. For example, you may operate only in the UK, or you may not hold personal data related to children or other “sensitive” data. So, you should pick out those parts of the regulations related to your activities and focus on them.
You will need to have all “normal” cyber security defences in place as the regulations require you to have security measures to protect personal data from loss, alteration or unauthorised processing.
1. Create Awareness
As with any major change your enterprise needs to adopt, you should ensure key people in your organisation are aware of the GDPR and the compliance obligations it will bring.
2. Document Information Held
You should document what personal data you hold, where it came from and who you share it with.
If you share information with other organisations and you discover it has errors, you will need to send them a correction – which means you need to know what you have and where its located. You may need to organise an information audit across the organisation or within particular business areas. Although outside the scope of these regulations it is good practice to similarly document other important enterprise data you hold.
3. Review Privacy Notices
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. The GDPR requires the information to be provided in concise, easy to understand and clear language. The ICO has published guidance on Privacy notices under the EU GDPR.
4. Individual Rights management processes
You will need to develop procedures to ensure your organisation can deliver the rights individuals have under the GDPR.
Your procedures should cover how you would react if someone asks to have their personal data deleted, for example. Would know where all a data subject records are? Would you know how to balance the request for deletion versus your legal obligation to retain some data records for a number of years? Who will make the decisions about deletion?
The right to data portability is also new. You will need to know under what conditions you need to provide the information and how and in what format you will provide it.
5. Subject Access Request Management
You need to develop processes to ensure you can respond appropriately to Subject Access Requests within the specified time period.
The DPA already allows data subjects to request access to their data, but under the GDPR you will be required to fulfil the request in a month, rather than the current 40 days and in most cases, you will not be able to charge.
6. Lawful basis for processing Personal Data
You need to confirm that you have a lawful reason for processing personal data and confirm that any arrangements you have with data processors are compliant with the GDPR.
The GDPR stipulates the processing of personal data must have a lawful basis and so you should identify the lawful basis for your own processing activity, document it and update your privacy notice to explain it. The lawful reasons for processing are laid out by the ICO here.
Where a third party is used to process data on your behalf (a data processor) you have an obligation to ensure they provide sufficient guarantees of appropriate technical and organisational measures. These processors could be firms that provide your email, data storage, accounting, CRM or web applications, for example. The regulations require that these arrangements be governed by a contract. The ICO will provide guidance on the contractual requirements.
7. Managing Consent
Consent under the GDPR must be freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.
At the time of writing the ICO has published draft guidance on consent, but this has yet to be finalised. So, watch this space.
8. Protecting Children
If your organisation works with children you need to be working on the safeguards specified by the ICO.
For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK).
The ICO is working on the issue of children’s personal data and aim to publish its views this year.
9. Data Breech Management
You should make sure you have the right processes in place to detect, report and investigate a personal data breach.
The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You need to ensure you have the processes in place to detect a breech and to respond appropriately if one does occur.
Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
10. Data Protection by Design
You need to start building data protection “into” your organisation and not just treat it as a “bolt-on” and review whether you are required to conduct data privacy impact assessments.
The ICO considers it is good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement and makes Data Protection Impact Assessments’ mandatory in certain circumstances.
You should also familiarise yourself with the guidance the ICO has produced on PIAs as well as GDPR specific guidance bring developed, and work out how to implement them in your organisation.
11. Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer (DPO)
It is most important that someone in your organisation, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to carry out their role effectively.
12. International Operations
If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this. You should check and ensure that personal data is only processed in an approved third country or by an approved organisation.
The lead authority is the supervisory authority in the state where your main establishment is. Your main establishment is the location where your central administration in the EU is or else the location where decisions about the purposes and means of processing are taken and implemented. This is only relevant where you carry out cross-border processing.
To ensure personal data is properly safeguarded, transfer of personal data to a third country or an international organisation may only take place where the EU Commission has decided that the third country or the organisation provides an adequate level of protection. So, you need to confirm the any organisation that processes your personal data meets these requirements.
How PAAC IT can help
There is a lot to work through to ensure you are compliant with the new regulations by 25th May 2018.
PAAC IT is able to assist with many of the capabilities you need to have in place including:
- Building awareness and developing a plan of what needs to be done;
- Data discovery to identify what personal and other confidential enterprise data you have, where and how it is stored and documenting it;
- IT security through security software, firewalls, software patches and data encryption as well as security policies and staff training;
- Managing cloud service providers and providing guidance on the ones that comply with the GDPR;
- Data breech management – helping you develop the capabilities in place to protect against a data breech and to manage and contain a breech should one occur;
If you’d value some help or guidance please call me, Richard Paterson on 01428 770290 or email me at rich.paterson@paac-it.co.uk.