GDPR One Year on – A Spring Clean
GDPR One Year on – A Spring Clean
It is a year since the General Data Protection Regulation (GDPR) came into force. A reportin February this year found that there had been over 10,000 data breaches reported in the UK since 25th May 2018. With high profile breaches hitting the headlines such as British Airways, Marriott Hotels and various Government Departments including the Home Office and DVLA, it is as important as ever for all businesses large and small to ensure that they are compliant with the law.On-going compliance
Data Protection is an on-going compliance task for businesses and should remain a number one priority. Although data protection compliance must be considered daily, it is useful one year on from the implementation of GDPR to review the policies, procedures and framework put in place last year. You should check the following documents regularly to make sure that they are still up to date and relevant to your business practices:
- Data Protection Policy
- Privacy Notice(s)
- Information Security Policy
- Record of Data Processing
- Subject Access Procedure
- Breach Notification Procedure
- Procedure for transferring data outside the European Economic Area
- Any Data Sharing Agreements/Arrangements
- Any Other Related Procedures
Audit the information you hold
As part of the implementation of GDPR in 2018 you should have conducted an information audit to identify the data you process and how it flows into, through and out of your business. It is a good idea to carry out a mini audit of data to make sure that nothing has changed. Changes to the type of data you hold, where it comes from, what you do with it or who you share it with may require updates to your privacy notice, procedures and related agreements.
Check your consent requirements
You should regularly review how you ask for and record your consent (if consent is your legal basis for processing all or part of the data you hold). You should ensure that your systems for recording and managing ongoing consent are secure and remain fit-for-purpose.
If you are relying on legitimate interests as the lawful basis for processing, you should ensure that the business has applied the three part testand can demonstrate that the business continues to fully consider and protect individual’s rights and interests.
Check that you have procedures and systems in place to adhere to Subjects’ rights
Under the GDPR, data subjects have a number of rights. As a business you should check that you have appropriate procedures and systems in place to respond to requests concerning these rights, and you should take this opportunity to make sure these remain fit-for-purpose:
- Right to be informed (make sure your privacy notices are up to date; ensure that if offering online services to children that privacy information is communicated in a way that a child will understand)
- Right of access
- Right to rectification and data quality
- Right to erasure inc. retention and disposal
- Right to restrict processing
- Right to data portability (if relevant)
- Right to object
- Rights related to automated decision-making inc. profiling (if relevant)
Make sure that your security controls are robust. This includes review of IT security as well as physical security of premises and of data not held electronically.
All staff should be receiving appropriate data protection training. It is advisable for refresher training to be undertaken annually. One year on, now would be a good opportunity to consider refresher training. There are a number of generic and bespoke online training packages available and it is advisable to provide training that has a test element included.
Other tools that should be considered to ensure that your employees are up to date on data protection include Bespoke Data Protection Manuals/handbooks and visible posters around the office reminding people of the key ‘Dos and don’ts’ when dealing with personal data.
Make sure you have paid your data protection fee
Under the Data Protection Act 2018, most companies have to register with the Information Commissioner’s Office (ICO) and pay an annual fee (there are some exceptions). As written in an ICO blog published this month, “Data Protection doesn’t take a day off” and grounds such as the person responsible being on holiday, will not be a valid excuse for non-payment. There is a useful self-assessment toolavailable to check if your organisation needs to register. With fines up to £4350 for non-payment, payment and renewal of your data protection fee should be at the top of your to-do list.
Other areas to review and consider as part of your ongoing compliance:
- Written contracts with any processors you use or anyone you share data with
- Ensure your business manages information risks in a structured way to ensure that you understand the business impact of personal data related risks and manage them effectively
- Ensure appropriate technical and organisational measures to integrate data protection into your processing activities
- Ensure you know how and when a Data Protection Impact Assessment (DPIA) should be used
- Check whether you are required to or would benefit from having a nominated data protection lead or Data Protection Officer (DPO) in place
- Ensure an adequate level of protection for any personal data transferred outside of the European Economic Area
ICO help and guidance
The ICO website offers a number of specific checkliststo help businesses assess their compliance in a number of specific areas including:
- Checklist for Data Processors
- Information Security (including cyber security, mobile and home working, removable media, access controls and malware protection)
- Direct Marketing (including the Privacy and Electronic Communications Regulation; consent and bought-in marketing lists, telephone, email, text and postal marketing
- Records management (includes record creation, storage and disposal, access, tracking and off-site storage)
- Data Sharing and Subject access (including compliance monitoring, maintaining sharing records, registration and dealing with a request for personal data)
- CCTV (including compliance of CCTV systems inc. installation, management, operation, public awareness and signage)
Help where you need it
Bridgehouse Company Secretaries are brilliantly placed to help with all your data protection needs. We offer a number of data protection services including Data protection audits; data protection policies and procedures; out-sourced Data Protection Officer (DPO); Website compliance checks; and assistance with Subject Access Requests.
For advice on your data protection requirements and to get in touch click here.
DLA Piper GDPR Data Breach Survey: February 2019 https://www.dlapiper.com/en/uk/insights/publications/2019/01/gdpr-data-breach-survey/