We’ve now all heard of GDPR and been inundated with Privacy Notices and consent forms. However, for many businesses, the 25th May was just the start of an ongoing process to ensure GDPR compliance.
For organisations who are mailing and emailing customers, it’s important to ensure that a clear route to compliance has been documented and customer data is protected. But what do you actually need to do? Read our guest post to help you get started.
There is undoubtedly a lot to consider, so we have put together 8 steps to succeed st GDPR.
1. Data Mapping and Discovery
Preparing for GDPR can be viewed as an exercise in business change. Once you have assigned responsibility for the project and reviewed scope the first task is to carry out a data mapping and discovery exercise.
This exercise needs to be thorough and robust. It will enable you to identify the data flow, describe its lifecycle and understand key characteristics. For example, characteristics will include the type of data being processed, methods of collection and access.
A challenge in data mapping is understanding all of the data your organisation holds – often there are information silos and various formats of data across departments.
2. Gap Analysis
Once you have a clear view of your information, you can assess your current data security arrangements against the requirements of GDPR. Consider the following types of controls:
- Physical security; who has access to physical locations where the data is stored? Control your key holders and consider what additional physical security could be put in place to protect the data, such as locked cabinets and safes.
- Technical security; are systems password protected and could you use 2-factor authentication (such as a mobile phone verification process)? Consider other technical measures such as encryption, stronger firewall configurations, reputable anti-virus and anti-spyware software.
- Administrative security; do you have policies and procedures in place that define how staff can securely handle personal data? Do your procedures include a way to ensure that you observe data retention periods?
3. Review Privacy Notice
Providing a clear and accessible Privacy Notice is also a key to ensuring Data Subjects have easy access to all the information they are entitled to under GDPR. While Privacy Notices are also used under the Data Protection Act, GDPR goes further and requires a more detailed list of what to include. The emphasis is on making these notices understandable – organisations must make it clear how data will be used.
Data controllers must take ‘appropriate measures’ to ensure that individuals are aware of the facts; at the point of first contact or data collection. The information that companies provide about how their data is processed must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
Data mapping your information flows (as in point 1) will give you much of the detail required to write a robust Privacy Notice. GDPR simply brings into effect what has always been considered good practice.
> View our Privacy Notice example
4. Lawful Grounds
Ensure that you understand the lawful grounds under which you can hold and process personal data. Many businesses focus on Consent, but consent grounds are often not the most appropriate. They should arguably be the last form of lawful grounds considered, unless consent is stipulated by any laws or regulations that you may be subject to.
Lawful Grounds you are able to consider are:
- Consent
- Contractual Necessity
- Legal Necessity
- Vital Interest
- Public Interest
- Legitimate Interest
> Read more from the ICO on Lawful basis for processing
5. Implement Policies & Procedures
GDPR means reviewing a number of internal policies, processes and procedures to ensure that they meet the requirements. In some cases, new policies will need to be implemented. Areas to review include:
- Consent Process– review how you seek, record and manage consent and update consents if necessary.
- Data Subject Access Requests – how will you handle and respond to these?
- Data Protection Impact Assessments (DPIA) – have a process in place to determine if and when a DPIA is required
- Data Breaches – know how you will detect, report and investigate a data breach
- Security – ensure that data is secure through clear procedures as well as technical means
- Working through these stages will ensure that you are prepared for GDPR.
6. Contract your 3rd Party Processors
When you provide a 3rd party with personal data that you control, you suddenly increase your risk and liability for that data.
Any penalties issued as a result of a breach to that data are proportionate to the size of the controller’s (your) business. Whilst fines can now be levied against data processors (your service provider), they can ultimately be recovered from the data controller (you) where the Processor is unable to pay them.
In addition, where a company is part of a group of companies penalties can be recovered from anywhere within the group. This includes from other facilities in the EU, enforced with help from Supervisory Authorities in those countries.
GDRP now has some specific requirements regarding 3rd party processors, including the requirements to have a contract in place that legally provides for confidentiality and the right to audit the Processor.
7. Data Protection Officer
Your organisation should designate someone to take overall responsibility for data protection compliance within the business. In some instances, you may need to allocate a Data Protection Officer (DPO). Article 37 states that:
The controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body,
- the core activities require regular and systematic monitoring of data subjects on a large scale;
- the core activities relate to large-scale processing of special data—for example, biometric, genetic, geo-location.
These conditions apply to small and medium-sized enterprises (SMEs) as well as large corporate firms. The DPO’s role is to inform and advise the business of their data protection obligations, monitor compliance and advise on DPIAs.
Often this is not a full-time role; however, adding these duties to existing staff is not as easy as it sounds. A DPO has to be independent and objective in their duties; has to report directly to Senior Management and must have legal and technical expertise. Staff that interact with personal data, or report to someone who is responsible for personal data, is likely to have a conflict of interest.
To ensure that your DPO is fully competent you must ensure that the individual has relevant legal and technical expertise, plus invest in any relevant training to ensure these skills remain appropriate.
Where the appointment of an internal DPO is not possible or training is not viable there are options for virtual DPO services. Make sure you thoroughly check the credentials of providers if you take this route.
8. Communications & Staff Training
To ensure compliance across your organisation it is imperative that staff are fully aware of the obligations of GDPR. Data protection impacts many areas of a business so it is crucial that employees understand why new data policies and procedures are required.
Effective communications should be a major factor for companies who want to succeed at GDPR. All staff should have knowledge of the basic principles of GDPR, with full training for those responsible for the collection, use and storage of data.
Awareness and training programmes should be regular to ensure that ongoing compliance is achieved. For many businesses looking at GDPR, training and awareness is one of the best ways of protecting yourself from breaches while you focus on implementing a Privacy Framework.
This article is a guest blog first published at www.safedatagov.com. Steve Gibson is a GDPR consultant and advisor who works with KPM Group.