May 28 2018 – Are you ready?!
Before we begin, a couple of key points on GDPR itself:
Who does the GDPR apply to?
- The GDPR applies to ‘controllers’ and ‘processors’.
- A controller determines the purposes and means of processing personal data.
- A processor is responsible for processing personal data on behalf of a controller.
- If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
- However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
- The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
- The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
What information does the GDPR apply to?
- Personal data
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
- Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data” (see Article 9).
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing (see Article 10).
You can find the rest of the detail behind GDPR in terms of the definitions, specific articles of law etc here https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/
We’ll mostly be referencing the ICO website here as they are the ones who’ll be overseeing GDPR and it’s implementation and frankly if the information is not on here it’s not worth knowing (or paying for)
- What is GDPR?
GDPR was adopted by the European Parliament in April 2016 to bring data protection rules up-to-date mostly around the use of personal information. It applies to all data processed within the EU and to data on EU subjects used by companies outside the union.
The rules come into effect on 25 May 2018 and will continue to apply in the UK after the country leaves the EU. The GDPR rules will be mirrored in the Data Protection Bill that is currently going through Parliament. It applies to applies to both ‘controllers’ and ‘processors’, and covers existing rules that have now been strengthened as well as a series of new rights for data subjects.
- Things you need to do – Identify and document the data you hold
Basically, you need to identify the data you currently store, where it’s held, what’s personal or sensitive, how it’s processed and who has access to it. Document this information as thoroughly as possible.
“Have an initial catalogue so that you know the personal data in your business, where it is, its lineage and what processing you do,” is the minimum level of record-keeping suggested by Richard Hogg, IBM’s Global GDPR Evangelist, “That would form the basis that you could use if and when the regulator comes knocking from May 2018.”
- Review current data governance practices
Evaluate your current data practices and policies, document (if you haven’t already) the lawful basis for any processing and identify any areas that require improvements. Internal records have to be kept of any processing activities, with all data tagged and classified.
You need to look at how data flows across different borders both within the EU and outside it, and pay special attention to any practices involving children’s data, GDPR has significantly strengthened the security requirements around processing, age verification and consent for such information.
The ICO has produced a series of data protection self-assessment toolkits to help you check your preparations in general and around information security, direct marketing (if you do any), records management, data sharing, subject access and even CCTV.
- Check your consent procedures
Under GDPR, consent for any data processing has to be specific, transparent, and auditable. The consent has to be simple to understand and easy to withdraw.
Be aware that under the new requirements for consent you may have to approach current data subjects (for example email subscribers) again to request new permission to use their data.
It’s worth reviewing your current consent processes and establishing whether consent is needed and how it should be provided to ensure your obligations are being fulfilled.”GDPR is focusing on the record-keeping around consent and the audit trail you need to have,” says head of international strategy and intelligence at the ICO Steve Wood.
“Consent has got to be easy to withdraw, and you’re going to need to be able to clearly name your organisation and make that clear to individuals, and also the third parties whom the data may be shared with.”
In essence, you have to now keep clear and transparent records of all consent taken, establish simple methods to allow the data subjects to withdraw their consent and regularly review your procedures to keep up with any changes in processing activities.
- Do I need a DPO?
A data protection officer (DPO) is necessary for public authorities or organisations that do large-scale monitoring of individuals or of special categories of data or data relating to criminal convictions and offences.
Even if a DPO is not essential for your organisation, designating an individual responsible for data governance will help keep your GDPR compliance on track. Ideally you should really appoint, at the very least, an individual to act as a contact point for the data protection authority (DPA) and data subjects.
- Procedures, procedures, procedures
Put in place processes for detecting, investigating and reporting breaches and develop an internal plan for responses. Data breach testing can ensure your procedures are effective. Do you have cyber insurance? It’s worth investing in some. If you know any forensic investigators and PR people, keep their numbers handy you may need them if your procedures aren’t robust enough.
- Develop your policies to support the rights of data subjects
You need to ensure your policies and procedures are adequate enough to enable data subjects to exercise their extended rights under GDPR. This includes (all the links will take you to the ICO website):
The right to be informed
The right of access
The right to rectification
The right to restrict processing
The right to data portability
The right to object
The right to not be subject to automated decision-making including profiling
The right to erasure Consider how you, the business, can respond to any requests to implement each of these rights, who is responsible, what systems will be required to support them and how to ensure that the information can be provided in a commonly used format.
The ICO recommends including a description of the processing operations and purposes, an assessment of the needs of the processing in relation to the purpose and an assessment of the risks and the measures in place to address them.
- Tell them about it!
The GDPR requires privacy protection by design and by default. Best practice for information governance should be part of your companies DNA not just the domain of one person.”Data is critical to many business processes, products, and services,” explains the Centre for Information Policy Leadership (CIPL) report.
“This is why GDPR implementation must be a concerted effort across the organisation, with the DPO working hand-in-hand with Chief Data Officer (CDO), Chief Information Officer (CIO), Chief Information Security Officer (CISO) and other senior leadership.”
Ideally, you should ensure there’s training in place for every staff member, at the very least ensure that your staff know the basic requirements of GDPR and their responsibilities for ensuring compliance.
- Make a plan
After figuring out which current policies and practices need amending, establish a plan for implementing the necessary changes.
- Keep calm
Complying with GDPR will require time and effort, but there are positives that will come out of these regulations, as Elizabeth Denham writes on her blog (and I recommend you read it it’s sometimes quite amusing!)”One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world. That is why both the ICO and UK government have pushed for reform of the EU law for several years.
The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.”
As always if you need any assistance with your websites or policies please do drop us a line.