GDPR – Are You Ready?!
It is now less than two months until the GDPR comes into force. Regardless of your size or turnover, if you hold personal data of any kind, you MUST comply with the new Regulation. Please also note that due to the Data Protection Bill currently before Parliament, the GDPR will continue to apply post-Brexit.
Here is a helpful checklist/To Do List to help you work towards compliance by 25th May 2018.
As the GDPR applies different levels of protection to different types of data, it is important that you know what personal data you currently hold.
- Carry out an information audit on what data you currently hold; what it is used for; where it came from and whether it is shared with anyone.
- Ensure that you only hold data that you actually need to carry out the purposes for which it is held. (“data minimization”)
- Ensure that you do not hold too much historical data – if you are no longer processing personal data, ask yourself whether it is lawful for you to still hold it. NB this will apply to your historical emails as well as data held on a database. (“data retention’)
- Ensure that if you hold Children’s data you are complying with the new special provisions, for example, that Privacy Notices are written in clear, plain language capable of being understood by a child and that adult consent is sought where required.
You must ensure that there is a lawful basis for processing personal data. There are six lawful grounds for doing so including that the processing is carried out with consent of the data subject, and that it is necessary for the performance of a contract with the data subject.
- Ensure that your Privacy Notices have been updated to ensure compliance with GDPR
- Ensure that consents relied upon can be evidenced
- Ensure you are no longer using ‘Opt-Out’ boxes (consent must be unambiguous, freely given, specific and informed)
- Consent is arguably the ‘riskiest’ of lawful basis to rely on, as the data subject can withdraw consent at anytime. Another lawful processing basis may be more suitable for example, for the performance of a contract; or as a legitimate interest of your organisation etc.
A large part of the GDPR covers accountability and being able to evidence your compliance:
- Ensure that Data Protection Policy and Procedures including those on Subject Access Requests, have been updated to ensure they are compliant with GDPR.
- Create a Register of Data Processing which will contain the details of types of data held, what it is being processed for, the lawful processing grounds etc
- Consider how compliance will be ensured – for example, by creating a data protection framework or by ensuring it fits within your current risk management
- Ensure there is evidence of this compliance (written framework, procedures etc)
If you outsource all or some of your data processing:
- Review your current data processing contracts and ensure that these are updated with the specific clauses required by the GDPR.
- Ensure you are aware of the new obligations placed on you (and the Processor) in regards to data processing arrangements
- Ensure any current or upcoming tender processes are taking account of the new rules.
Rights of the Data Subject
Ensure that you have sufficient training and procedures in place to ensure that the following rights are not infringed:
- Right to be informed (provide fair processing information eg Privacy Notice)
- Right to access own data (similar to those already in existence, but note that you may no longer charge £10 for processing such a request and you now have less time to comply – one month rather than 40 days.)
- Right to rectification (right to have data rectified if it is inaccurate or incomplete)
- Right to erasure (Can request deletion or removal of personal data where there is no good reason for processing to continue. NB there are grounds for refusing such a request).
- Right to restrict processing (in certain circumstances data can be stored but no further processing carried out)
- Right to data portability (unlikely to affect most Controllers, refers to the copy or transfer of personal data from one platform (e.g. Apple Music) to another (e.g. Spotify)
- Right to object (includes objecting to processing in an organisation’s legitimate interests; objecting to processing for scientific or historical research and objecting to direct marketing)
- Rights relating to profiling and automated decision making (if your organisation carries out such tasks, you need to ensure specific compliance in this area)
Data Protection Officer (DPO)
- Consider whether you are required to appoint a DPO
- If so, ensure that DPO has received sufficient and adequate training
- Ensure that all staff have received sufficient training on GDPR, especially in regards to the new rights for data subjects and security breach reporting.
You cannot transfer personal data to countries or international organisations outside of the EU unless the European Commission has decided that the country/territory/organisation ensures an adequate level of protection; OR the recipient organisation has put in appropriate safeguards to ensure that the individuals rights remain enforceable.
If neither of these apply then it may still be justifiable to transfer on the basis of the individual’s informed consent or necessary for the performance of a contract.
- It is recommended that you seek advice specific to your company on data transfer outside of the EU, to ensure compliance.
Similar to the current legislation, the GDPR requires controllers to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with [the ] Regulation’.
What measures are appropriate will depend on:
- the nature, scope, context and purpose of processing; and
- the risks that are posed to the rights and freedoms of individuals
Data Protection by Design and Default
- Ensure that whenever business practices, IT processes or physical infrastructure are designed, maintaining privacy and data security MUST be integrated at the outset.
- Only data required for a specific, identified purpose should be processed.
- Ensure that you are familiar with what to do in the event of a security breach, when to inform the ICO and timescales for action.
- Ensure that staff understand the definition of a data breach and how to respond to such
- Ensure clear escalation processes are in place in terms of alerting senior people when a breach occurs
These are just some of the ways to help your organisation towards compliance of the GDPR and are the actions that should be taken before 25 May. However, compliance with the Regulation will be an on-going and constant process and you will need to ensure compliance in all of the areas that are applicable to your particular organisation.
For assistance on GDPR compliance, please contact us.