Businesses were given two years to get up to speed with the requirements of the GDPR and implement the technical and organisational measures that it refers to. Whilst some are on top of this, some have not yet completed this process, others have not yet started. Demonstrating best efforts to comply will be viewed favourably and as the Information Commissioner has emphasised – those businesses who engage with the ICO to resolve issues and can demonstrate effective accountability arrangements will find the ICO to be fair, and that enforcement will be proportionate and a last resort. Here we detail some actions that can be taken in preparation for the GDPR coming into force on 25th May 2018, based on the guidance provided by the ICO. In complex organisations this may have significant financial, IT, personnel and governance implications so a clear plan must be put in place as soon as possible.
Framework and Data Protection
by Design and Default
Privacy Information to Individuals
Basis for Processing
Data and Children
A good starting point for all businesses is to first undertake a data mapping exercise. This can be effectively done by undertaking a personal data audit. This will allow you to gain a clearer overview of what data you hold and how it is currently used. You can then assess which parts of the GDPR will have the greatest impact on your current business model which will in turn allow you to focus on those areas during your future data protection planning process. It will enable you to document what personal data you hold, where it came from and who it is shared with, how it is protected and how long it is retained for. It should highlight any gaps and areas of risk.
Despite the media coverage of the impending changes to data protection law, many people are still unaware of what it entails and consequently how it may impact them and their role within an organisation. Raising awareness within every organisation dealing with personal data is crucial. Key people within organisations should be getting up to speed with the regulation’s requirements, identifying areas that may cause compliance issues (for example by using a data mapping exercise as mentioned above). Making necessary organisational and technical changes, updating policies and procedures accordingly, as well as training staff will all take time so businesses must now make this a priority.
Establishing an Effective Governance Framework and Data Protection by Design and Default
Data Protection regulators have always recommended the privacy by design approach, but now the GDPR makes privacy by design a legal requirement. Organisations can no longer add on data protection processes as an after-thought when designing projects, products and services. The obligation on organisations is now to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
An effective way to integrate the concept of data protection by design and default within an organisation is to establish an effective data governance framework. Once in place, this will act as a foundation upon which all other data protection obligations under the GDPR will be easier to meet. Having such a framework in place means that data protection will become in effect part of the culture of an organisation rather than being seen as an “optional extra”. A solid data governance framework will include, as a minimum, the following aspects: regular data audits, regularly reviewed privacy policies, data retention procedures, GDPR compliant supplier agreements, GDPR compliant data transfer procedures, adequate and regular staff training, data security measures, clearly allocated roles including, if required, a data protection officer.
Effective Communication of Privacy Information to Individuals.
Businesses must make sure they are providing sufficient and appropriate information to individuals – such as identity details, information on how you are going to use their data, your lawful basis for processing, how long it will be held for and the rights they have with regard to the data processing which must all be presented in concise, easy to understand and clear language. This is usually done in a privacy notice, so current privacy notices should be reviewed and updated as required. Organisations also need to ensure that individuals are informed of their rights – the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability (in limited circumstances), right to object and the right not to be subject to automated decision-making. Individuals must also be aware that they have a right to complain to the ICO about the way in which their information is being handled by an organisation. You must therefore ensure that you have procedures in place ensure these rights can be exercised by individuals and dealt with effectively and promptly by your organisation.
Establishing your Lawful Basis for Processing.
In order to process data under the GDPR, organisations must identify a lawful basis to do so. Up until now, the choice of lawful basis relied upon has not had many legal implications. This has changed as under the GDPR, controllers must be able to specify and document their lawful basis for processing and individuals’ rights will be modified depending on which lawful basis is being relied upon. Once you have carried out an audit or data mapping exercise as recommended above, you should be able to establish the relevant lawful basis.
Special Categories of Data and Children.
Those who process special category data must identify and document both a lawful basis under Article 6 and also a separate condition for processing special category data under Article 9, remembering that GDPR expands the previous sensitive data definition by adding genetic and biometric data.
If you intend to process data relating to children, you must ensure that all privacy notices for children are written in plain, clear age-appropriate language to ensure that they understand what their data will be used for, the risks involved and what rights they have. This could include the use of diagrams, cartoons, graphics and videos, icons or symbols. When identifying your lawful basis for processing always focus on the protection of the child and whether the child will be able to understand what they are agreeing to. Adequate safeguards must be put in place where appropriate. If you are using consent when you are offering an online service, remember only those aged 13 or over can consent – for anyone younger you will require the consent of their parent or guardian, using age verification and identity verification where required. Age verification mechanisms will need to be put in place. Avoid making decisions based solely on automated processing using the personal data of children except under the limited exceptions set out in the Regulation.
High up the agenda for all organisations processing personal data should be their data breach notification process. Both data controllers and processors now have an obligation to notify certain types of personal data breaches. Controllers have the additional burden of documenting any such data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. Given the time limitations on notifying breaches to supervisory authorities and potentially also the individuals involved, as well as potential fines for failure to do so and potential bad press associated with such a failure, putting a solid breach notification process in place is essential. Your data breach policy should include breach detection tools, clearly documented reporting lines and investigatory procedures.
Data Protection Impact Assessments.
The GDPR makes Privacy Impact Assessments compulsory in certain circumstances in which data processing is likely to result in high risk to individuals. Specific examples include where a profiling is likely to significantly affect individuals or where there is processing on a large scale of the special categories of data. Another example is where a new technology is being introduced, meaning that at the design phase of any new product or service involving personal data, a privacy impact assessment should be carried out. The ICO has produced a Code of Practice on Conducting a Privacy Impact Assessment which can be used by organisations as a guideline on how to conduct a DPIA. Following any DPIA which indicates a high risk that cannot be adequately addressed internally, organisations must contact the ICO to seek its opinion on whether the processing operation complies with the GDPR. Consequently, individuals within organisations must be allocated the responsibility of undertaking DPIAs and trained accordingly.
Data Protection Officers.
Organisations need to establish whether they require a Data Protection Officer (DPO). Those that must appoint one include:
- public authorities
- controllers or processors whose core activities consist of processing operations which by virtue of their nature, scope or purposes require regular and systematic monitoring of data subjects on a large scale
- controllers or processors whose core activities consist of processing sensitive personal data on a large scale.
However, any organisation can choose to appoint a DPO. Therefore, depending on the size of the organisation, volume of personal data processed, complexity of processing activities and resources of the organisation, some organisations that are not obliged to appoint a DPO under the GDPR may choose to do so anyway, always adhering to the requirements relating to DPO experience and responsibilities set out in the GDPR.
Cross Border Transfers of Data.
If your organisation transfers data to other EU states you must identify and document the lead supervisory authority. This will depend on where your main establishment is so it is important to seek guidance on determining where this is. Transfers of personal data to third countries outside the EU are allowed only where both controllers and processors comply with the conditions laid down in the GDPR. Under the GDPR, the transfer of personal data to recipients outside the EU is generally prohibited unless:
- The jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection
- The data exporter puts in place appropriate safeguards; or
- A derogation or exemption applies.
Note: you can click the above boxes for more information.