For the Data Protection Officer/Manager - The General Data Protection Regulation (GDPR) was in force from 25 May 2018 and regardless of the outcome of Brexit, it does not affect the UK requirements to comply with the Regulations. We hope the guidelines below help to highlight key themes associated with the changes. For those familiar with the Data Protection Act 1998 (DPA), there are new and different requirements.
GDPR is based on the belief in a right to privacy resulted in one of the world’s first major privacy laws: the EU’s Data Protection Directive, adopted in 1995. It required companies and governments to be transparent, have a legitimate reason for the use of personal data and exercise care in its handling of sensitive data. In 1995 the directive was adequate for existing technologies and processes. However, rapid technological changes in the years since then has necessitated an update. The GDPR seeks to ensure privacy law is relevant in a world where far more data is collected than ever before. The GDPR also ensures uniform law exists across the EU without major differences between countries, expanding privacy rights granted to individuals while placing many new obligations on organizations. In the UK, the Information Commissioner’s Office (ICO) is committed to assisting business to prepare for these new requirements and being in compliance.
Manager, Business Strategy/Client Engagement
GDPR is applicable to both ‘controllers’ and ‘processors’.
As a processor, the GDPR places specific legal obligations on you. The requirement to maintain records of personal data and processing activity. There is more legal liability placed on processors if responsible for a breach. This is a new obligation for processors under GDPR.
As a controller, the GDPR places further obligations on your firm to ensure your contracts with processors comply with the GDPR, creating a double safety net.
GDPR applies to processing by organisations operating within the EU
GDPR applies to companies outside the EU offering goods or services to individuals in the EU
Similar to DPA, ‘personal data’ is at the heart of the new rules. The GDPR’s definitions are much more detailed such as identifying IP addresses as personal data. The definition provides for the changes in technologies and data repositories, reflecting how organisations collect information about consumers and people. This data can be:
Databases and systems that store personal data can be used by many departments within a company. such as and need to be mapped out. Marketing, sales, human resources (HR), IT, sourcing, finance, payroll, risk management, health and safety, legal departments may be operating their own systems or work with external vendors to manage personal data.
If your organisation is already within the scope of DPA, it will also fall under GDPR and applies to:
Note, personal data relating to criminal convictions/offences are not included, but extra safeguards apply to its processing
Preparing your organisation for GDPR
If you’re charged with ensuring compliance the first steps are to ensure the decision makers and key management and staff are aware that the law is changing from DPA to GDPR. Its crucial to get buy in as the fines are much higher for any violations. The first place to look is your organisations risk register if you have one. Depending on the size of your organisation, we recommend starting as soon as possible.
Developing a new awareness and changed behaviour along all levels from management to every department can be accelerated by printing off and posting visual reminders and posters such as these from the ICO.
The simplest process is to organise an information audit that looks at every separate business area rolling across the entire organisation.
Documenting what personal data is held at your company, where it came from and who you shared it with is imperative. The GDPR also requires your organisation to maintain records of information that was processed. And because all information is networked with an external world, any inaccurate data shared needs to be updated with the receiving organisations so they can update their records.
The GDPR’s accountability principle makes you accountable for internal and external tracking of personal data. This includes where it resides within your various IT software and hardware systems. With the GDPR, any excessive storage of duplicated information equals risk.
The ICO recommends reviewing current privacy notices and making appropriate changes for GDPR.
Most organisations will have a privacy notice giving identity details, how their information will be used, etc. With GDPR, there are additional stipulations such as, explaining your (lawful) basis for processing the data, retention periods and informing them of their right to complain to ICO if they are uncomfortable with your protocols. The ICO has published Privacy, Transparency and Control which is a must-read. It covers not just obvious information you collect (in a form, etc.) but information that is given to an organisation through social media, website visits and data that is captured and used. It becomes more challenging when a ‘permission trail’ does not exist in the traditional sense. This could be data that is:
A review of your procedures should ensure individuals’ rights and how personal data can be deleted, can be provided electronically and in a commonly used format. Included are:
The list above (check the ICO website for a complete list) is useful in quickly ascertaining where your organisation stands. Are you able delete an individual’s data if they ask? This would require you to answer some of the following questions:
Most companies who have been in compliance with the DPA will already have some of these processes in place. The right to data portability is new and applies to personal data provided to a controller. Portability requires you to provide the personal data in a structured and machine readable form at no cost to the requester.
A large number of access requests can put a strain on your staff and systems if not adequately provisioned for. Determine at what point it is desirable to develop processes that allow individuals to access their information quickly online and without cost. The new rules to take into consideration:
The GDPR requires you to identify (and document) the lawful basis for your processing activity of personal data, document it and review/update privacy notices to explain it.
In your data mapping exercise, reviewing the types of processing activities being carried out will identify your lawful basis for doing so. This will help firms comply with accountability as determined by the GDPR. The ICO has an excellent toolkit for encouraging privacy awareness at all levels via printable posters for the workplace.
Most organisations have a consent procedure in place and probably follow rules set forth by the DPA. However, the GDPR is much more rigorous and while not specifically calling for a complete overhaul of a firm’s existing consents, if they don’t meet the GDPR standard you’ll need to make the necessary changes to bring them into compliance. The ICO’s document GDPR Consent Guidelines sets out the requirements:
To meet GDPR standards consent mechanisms need to be clear, prominent, granular, specific opt-in and allow for withdrawal. They also need to be documented.
The GDPR brings special protection for children’s personal data, making it necessary to put in systems that verify individuals’ ages and obtaining parental or guardian consent. This is especially so for commercial internet services. Social networks, online services, etc. will need parent/guardian consent before processing personal data lawfully. At 16 a child can lawfully give their own consent. It may be lowered to 13 in the UK. All consent must be verifiable and documented. In addition, privacy notices need to be written in language children will understand.
Are you able to detect, report and investigate a personal data breach if it happens within your organisation? Some organisations are required to notify the ICO (and other organisations depending on the type of data processing) when a personal data breach is suffered. Especially if the ramifications could result in:
Assigned staff members need to be trained in procedures to follow and mechanisms to invoke should a breach occur. Similar to a fire drill, all the reporting process and systems need to be set up before a breach happens such as:
With only 72 hours to inform the ICO of a breach, having a practiced process will help control the situation, minimise damage and mitigate fines.
For certain organisations and circumstances, the GDPR makes privacy a legal requirement under the term ‘data protection by design and default’. And makes ‘data protection impact assessments’ mandatory. If data processing results in high risk for individuals in examples such as:
For all companies including those that are project-based, the GDPR’s requirements for ‘data protection by design and default’ becomes a necessary part of the process, especially due to the changing nature of stakeholders within projects and the large external network of groups, firms and technology data is held in and transmitted to and from. The ICO handbook Conducting privacy impact assessments code of practice
Carrying out a Privacy Impact Assessment for each project can be done by a project manager on a project based on overall company established protocols (risk management) for smaller firms and projects. For extremely large firms, the ICO recommends consulting with them to sufficiently manage high risk data processing.
Some screening questions can include:
For example, health records, criminal records or other information that people would consider to be particularly private. Will the project require you to contact individuals in ways which they may find intrusive? These types of questions may be linked to your organisation’s other processes such as risk management.
Each company needs to have a designated staff member or manager that takes responsibility for data protection compliance.
Some organisations are required by the ICO to formally designate a Data Protection Officer:
With the possible fines and legal implications brought about by the GDPR, it is imperative that the person responsible for data protection compliance has the knowledge, support from upper management and ability to assess new process required as well as any new technologies available to handle this role effectively.
For companies operating in several EU member states your lead data protection supervisory authority needs to be determined and documented.
This is only relevant where cross-border processing is carried out. Example, a single establishment in the EU that carries out processing for which substantially affects individuals in other EU states.
International concerns also impact suppliers and organisations you do business with that aren’t required to follow GDPR. For instance, if your supplier of glass facades are from China or India, how does that impact your compliance? Or if your contracts overseas are with companies who do not comply with GDPR how much are you liable for in terms of chains of accountability arising from shared data?
Establishing the protocols and processes required for GDPR compliance may be a large task for companies that have not had to comply with the Data Protection Act. However, in our experience, few firms are in that extreme category. If a firm has DPA protocols in place (and perhaps ISO 27001) it is already compliant in some areas and will need to assess where their gaps arise.
The GDPR is an appropriate set of regulations for today’s new technologies, social media, data collection, analytics and profiling. It protects all citizens and data subjects and is geared to minimise abuse of information. With this mindset, getting it in place will make the ongoing management of change much easier and safer regardless of the new technologies of the future.
And lastly, the fines are so substantial it would be prudent for companies to invest in the training and certifying of senior staff on the GDPR. In addition, Cyber Essentials and Cyber Essentials Plus will ensure your organisation is secure on all fronts. Check out our blog for information on the steps to getting certified through Nittygritty.net
Apr, 24th, 2018
Apr, 15th, 2018