For the Data Protection Officer/ Manager- Preparing Your Organisation for GDPR

10th Jul 2018

GDPR – Preparing For and Maintaining Compliance in your Firm

For the Data Protection Officer/Manager - The General Data Protection Regulation (GDPR) was in force from 25 May 2018 and regardless of the outcome of Brexit, it does not affect the UK requirements to comply with the Regulations. We hope the guidelines below help to highlight key themes associated with the changes. For those familiar with the Data Protection Act 1998 (DPA), there are new and different requirements.

GDPR is based on the belief in a right to privacy resulted in one of the world’s first major privacy laws: the EU’s Data Protection Directive, adopted in 1995. It required companies and governments to be transparent, have a legitimate reason for the use of personal data and exercise care in its handling of sensitive data. In 1995 the directive was adequate for existing technologies and processes. However, rapid technological changes in the years since then has necessitated an update. The GDPR seeks to ensure privacy law is relevant in a world where far more data is collected than ever before. The GDPR also ensures uniform law exists across the EU without major differences between countries, expanding privacy rights granted to individuals while placing many new obligations on organizations. In the UK, the Information Commissioner’s Office (ICO) is committed to assisting business to prepare for these new requirements and being in compliance.

photo of a woman

August Nazareth,
Manager, Business Strategy/Client Engagement

GDPR – Who does this apply to:

GDPR is applicable to both ‘controllers’ and ‘processors’.

  1.  Controllers determine how and why personal data is processed
  2.  Processors act on the controller’s behalf.
  3.  In general, if your organisation is subject to DPA, it is most probably subject to the GDPR

Who does this not apply to: 

  1.  Processing by the Law Enforcement Directive
  2.  Processing for national security purposes
  3.  Processing by individuals in a personal/household capacity.

How does this manifest itself:

As a processor, the GDPR places specific legal obligations on you.   The requirement to maintain records of personal data and processing activity.   There is more legal liability placed on processors if responsible for a breach.  This is a new obligation for processors under GDPR.

As a controller, the GDPR places further obligations on your firm to ensure your contracts with processors comply with the GDPR, creating a double safety net. 

Geographic Locations: 

GDPR applies to processing by organisations operating within the EU

GDPR applies to companies outside the EU offering goods or services to individuals in the EU

What information and data does this apply to:

Similar to DPA, ‘personal data’ is at the heart of the new rules.  The GDPR’s definitions are much more detailed such as identifying IP addresses as personal data.    The definition provides for the changes in technologies and data repositories, reflecting how organisations collect information about consumers and people.    This data can be:

  1. HR records
  2. Customer lists
  3. Contact details, etc.

Databases and systems that store personal data can be used by many departments within a company.   such as and need to be mapped out.    Marketing, sales, human resources (HR), IT, sourcing, finance, payroll, risk management, health and safety, legal departments may be operating their own systems or work with external vendors to manage personal data.

If your organisation is already within the scope of DPA, it will also fall under GDPR and applies to:

  1. Automated personal data
  2. Manual filing systems
  3. Different from the DPA, it could include chronologically ordered sets of manual records containing personal data.
  4. Any personal pseudonymised data, such as key-coded, can fall within the scope of the GDPR.
  5. Sensitive personal data “special categories of personal data”, similar to the DPA but with minor changes such as special categories including genetic data, biometric data where processed to uniquely identify an individual
  6. Anonymous data
  7. Profiling data including monitoring or tracking data subjects to analyse or predict economic situation, health, credit risks, etc.

Note, personal data relating to criminal convictions/offences are not included, but extra safeguards apply to its processing

For the Data Protection Manager/Officer

 Preparing your organisation for GDPR 

  1. Awareness

If you’re charged with ensuring compliance the first steps are to ensure the decision makers and key management and staff are aware that the law is changing from DPA to GDPR.   Its crucial to get buy in as the fines are much higher for any violations.   The first  place to look is your organisations risk register if you have one.  Depending on the size of your organisation, we recommend starting as soon as possible.

Action Areas:

  1. Who are the managers tasked with this process?
  2. Who are the direct reports and what is the mechanism for creating awareness?
  3. What are the timelines
  4. Where does the data reside?
  5. When you map the movement of your data where are the risks?
  6. How much of that data does your organisation really need? Are there duplications?

Developing a new awareness and changed behaviour along all levels from management to every department can be accelerated by printing off and  posting visual reminders and posters such as these from the ICO.

Posters - GDPR
GDPR – Posters
  1. Information you hold

The simplest process is to organise an information audit that looks at every separate business  area rolling across the entire organisation.

Documenting what personal data is held at your company, where it came from and who you shared it with is imperative.   The GDPR also requires your organisation to maintain records of information that was processed.  And because all information is networked with an external world, any inaccurate data shared needs to be updated with the receiving organisations so they can update their records.

The GDPR’s accountability principle makes you accountable for internal and external tracking of personal data.  This includes where it resides within your various IT software and hardware systems.  With the GDPR, any excessive storage of duplicated information equals risk.

  1. Communications on Privacy

The ICO recommends reviewing current privacy notices and making appropriate changes for GDPR.

Most organisations will have a privacy notice giving identity details, how their information will be used, etc.   With GDPR, there are additional stipulations such as, explaining your (lawful) basis for processing the data, retention periods and informing them of their right to complain to ICO if they are uncomfortable with your protocols.   The ICO has published  Privacy, Transparency and Control  which is a must-read.   It covers not just obvious information you collect (in a form, etc.) but information that is given to an organisation through social media, website visits and data that is captured and used.  It becomes more challenging when a ‘permission trail’ does not exist in the traditional sense.   This could be data that is:

  • observed, if people are being tracked online or via their smart phones, tablets, etc.
  • derived, from combinations of data sets
  • inferred, by use of algorithms that analyse various data; such as social media, location data and records of purchases to profile people.   An example would be determining their state of health, credit risk, or employment suitability. 
  1. Individuals’ Rights

A review of your procedures should ensure individuals’ rights and how personal data can be deleted, can be provided electronically and in a commonly used format.    Included are:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure of their information
  • The right to restrict process of their data
  • The right to data portability
  • The right to object
  • The right to not be subject to automated decision-making (including profiling).

The list above (check the ICO website for a complete list) is useful in quickly ascertaining where your organisation stands.   Are you able delete an individual’s data if they ask?     This would require you to answer some of the following questions:

  1. Can you map where the data has been used?
  2. Where was transmitted?
  3. Where was it stored?
  4. Has it been stored in several places?
  5. If several departments have used that information, can you retrieve it and destroy it from every location?
  6. How long will that take?
  7. Who on your team will delete it?
  8. What processes are in place to document it was done?

Most companies who have been in compliance with the DPA will already have some of these processes in place.   The right to data portability is new and applies to personal data provided to a controller.   Portability requires you to provide the personal data in a structured and machine readable form at no cost to the requester.

  1. Data Access Requests:

A large number of access requests can put a strain on your staff and systems if not adequately provisioned for.   Determine at what point it is desirable to develop processes that allow individuals to access their information quickly online and without cost.   The new rules to take into consideration:

  1. No charge (in most cases) for providing access.
  2. Access must be complied to within one month, not 40 days as is current.
  3. Excessive requests can be refused or charged for.
  4. Refusing a request requires you to:
    • advise the individual why it is refused
    • that they have the right to complain to the supervisory authority and judicial remedy
    • This must be carried out without delay, and within one month
  1. Privacy Notices:

The GDPR requires you to identify (and document) the lawful basis for your processing activity of personal data, document it and review/update privacy notices to explain it.

In your data mapping exercise, reviewing the types of processing activities being carried out will identify your lawful basis for doing so.   This will help firms comply with accountability as determined by the GDPR.   The ICO has an excellent toolkit for encouraging privacy awareness at all levels via printable posters for the workplace.

  1. Consent:

Most organisations have a consent procedure in place and probably follow rules set forth by the DPA.   However, the GDPR is much more rigorous and while not specifically calling for a complete overhaul of a firm’s existing consents,  if they don’t meet the GDPR standard you’ll need to make the necessary changes to bring them into compliance.     The ICO’s document  GDPR Consent Guidelines sets out the requirements:

a GDPR list
Source: ICO.org.uk

A GDPR list

Source: ICO.org.uk

To meet GDPR standards consent mechanisms need to be clear, prominent, granular, specific opt-in and allow for withdrawal.  They also need to be documented. 

  1. Children

The GDPR brings special protection for children’s personal data, making it necessary to put in systems that verify individuals’ ages and obtaining parental or guardian consent.    This is especially so for commercial internet services.   Social networks, online services, etc. will need parent/guardian consent before processing personal data lawfully.    At 16 a child can lawfully give their own consent.   It may be lowered to 13 in the UK.    All consent must be verifiable and documented.   In addition, privacy notices need to be written in language children will understand.

  1. Data Breaches

Are you able to detect, report and investigate a personal data breach if it happens within your organisation?   Some organisations are required to notify the ICO (and other organisations depending on the type of data processing)  when a personal data breach is suffered.  Especially if the ramifications could result in:

  1. Discrimination
  2. Financial loss or risk
  3. Reputational damage
  4. Confidentiality breach, etc.

Assigned staff members need to be trained in procedures to follow and mechanisms to invoke should a breach occur.    Similar to a fire drill, all the reporting process and systems need to be set up before a breach happens such as:

  1. Team with responsibility for managing a breach
  2. Communications mechanism internally
  3. Procedures, process and technology to quickly manage the breach
  4. Security measures from IT standpoint
  5. A pre-drafted statement compliant with organisations legalities, etc. requiring only specifics to be added in for the ICO, the data subjects, external organisations, etc.
  6. Checklist of external organisations to inform, depending on your organisation

With only 72 hours to inform the ICO of a breach, having a practiced process will help control the situation, minimise damage and mitigate fines.  

  1. Data Protection by Design and Using Data Protection Impact Assessments

For certain organisations and circumstances, the GDPR makes privacy a legal requirement under the term  ‘data protection by design and default’.    And makes ‘data protection impact assessments’ mandatory.   If data processing results in high risk for individuals in examples such as:

  • A new technology is deployed
  • An operation where profiling affects individuals
  • Processing data on a large scale within the ICO’s special categories of data

For all companies including those that are project-based, the GDPR’s requirements for ‘data protection by design and default’ becomes a necessary part of the process, especially due to the changing nature of stakeholders within projects and the large external network of groups, firms and technology data is held in and transmitted to and from.  The ICO handbook Conducting privacy impact assessments code of practice

Carrying out a Privacy Impact Assessment for each project can be done by a project manager on a project based on overall company established protocols (risk management)  for smaller firms and projects.   For extremely large firms, the ICO recommends consulting with them to sufficiently manage high risk data processing.

Some screening questions can include:

  • Will the project involve the collection of new information about individuals?
  • Will the project compel individuals to provide information about themselves?
  • Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?
  • Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?
  • Does the project involve you using new technology which might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition
  • Will the project result in you making decisions or taking action against individuals in ways which can have a significant impact on them?
  • Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations?

For example, health records, criminal records or other information that people would consider to be particularly private. Will the project require you to contact individuals in ways which they may find intrusive?    These types of questions may be linked to your organisation’s other processes such as risk management.  

  1. Data Protection Officers

Each company needs to have a designated staff member or manager that takes responsibility for data protection compliance.

Some organisations are required by the ICO to formally designate a Data Protection Officer:

  1. Public Authorities
  2. Firms carrying out large scale systematic monitoring of individuals on a regular basis.
  3. Organisations carrying out large scale processing of data such as health records, criminal convictions, etc.

With the possible fines and legal implications brought about by the GDPR, it is imperative that the person responsible for data protection compliance has the knowledge, support from upper management and ability to assess new process required as well as any new technologies available to handle this role effectively.

  1. International

For companies operating in several EU member states your lead data protection supervisory authority needs to be determined and documented.

  1. Lead authority is the supervisory authority of your main establishment/location. If you’re main head office and all administration is based in London and you have satellite offices in Portugal and Spain, then London is your lead authority.
  2. Main establishment is your central administration in the EU or the location where decisions about the purposes and means of processing are taken and implemented.

This is only relevant where cross-border processing is carried out.  Example, a single establishment in the EU that carries out processing for which substantially affects individuals  in other EU states.

International concerns also impact suppliers and organisations you do business with that aren’t required to follow GDPR.   For instance, if your supplier of glass facades are from China or India,  how does that impact your compliance?   Or if your contracts overseas are with companies who do not comply with GDPR how much are you liable for in terms of chains of accountability arising from shared data?

Conclusion:

Establishing the protocols and processes required for GDPR compliance may be a large task for companies that have not had to comply with the Data Protection Act.  However, in our experience, few firms are in that extreme category.  If a firm has DPA protocols in place (and perhaps ISO 27001) it is already compliant in some areas and will need to assess where their gaps arise.

The GDPR is an appropriate set of regulations for today’s new technologies, social media, data collection, analytics and profiling.   It protects all citizens and data subjects and is geared to minimise abuse of information.   With this mindset, getting it in place will make the ongoing management of change much easier and safer regardless of the new technologies of the future.

And lastly, the fines are so substantial it would be prudent for companies to invest in the training and certifying of senior staff on the GDPR.  In addition, Cyber Essentials and Cyber Essentials Plus  will ensure your organisation is secure on all fronts.   Check out our blog for information on the steps to getting certified through Nittygritty.net

relevant