What are your first steps for GDPR
Many of you will have heard of GDPR but for those who have not it is a new regulation which comes into effect in May 2018 to replace and enhance the Data Protection Act. It is a EU regulation however will be adopted by the UK in at least equivenacnce
The General Data Protection Regulation is legislation coming into effect for businesses in the UK in May 2018
This is an enhancement to existing privacy regulations in the UK currently enforced by the Information Commissioners Office under the UK Data Protection Act.
The Regulation is a European one however because it comes into force before the UK leaves it will be relevant and UK government has already said they would expect to implement it in UK law anyway.
If you want more direct information there is a lot on the ICO website, here., which is the body responsible for the new regulations. Their 12 steps document and getting ready are the framework we will work with to begin with for most clients.
I have summarised the 12 steps here.
Make sure all your key staff are aware that this is coming. They need to understand the impact. You should encourage discussion early of concerns as compliance may take a while to achieve.
2. Information You Hold
You should get ready by documenting the personal data you hold with the following information
a. What it is?
b. Where and how it is stored (this is not only IT based think paper as well)?
c. Who it is shared with / has access to it?
d. How you obtained it?
e. What is it held for?
You have a responsibility to ensure data is accurate and you only have what you need so a data audit may be required to get the above information clear.
3. Communicating privacy information
Review your current privacy notices supplied to people who provide personal information and the process you have for obtaining consent. These need to be checked to ensure they to comply with the GDPR regulations in time for implementation.
The pricacy notice code of conduct profiles the new requirements https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/
4. Individual’s rights
Check through and create procedures to ensure the cover all the rights individuals have, remember it is their data.
– the right to be informed;
– the right of access;
– the right to rectification;
– the right to erasure;
– the right to restrict processing;
– the right to data portability;
– the right to object; and
– the right not to be subject to automated decision-making including profiling.
5. Subject access requests.
You should check and update your procedures for these requests in light of the changes which include, you will not be permitted to charge and now have to complete them within one month. Think carefully about how easy it is to respond to these requests, it may be easier to change how you store data rather than have very complicated procedures.
6. Lawful basis for processing personal data
You need to establish and document your legal basis for processing personal information. In many cases this is required to carry out requested work, or to fulfil obligations of employment however these need spelling out in privacy notices and if the lawful basis is consent you need to ensure you have it and it is clear how long for and for what purpose it has been agreed. A Subject access request requires the legal basis for holding the information be supplied, you need to have it documented to confirm to the accountability requirements.
You should review all your procedures for how you manage the consent to hold the personal information and if you need to do so refresh these consents to ensure they meet the GDPR standard.
The detailed guidance https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf can be found here,
If you have existing consent under DPA you do not have to refresh it however it must comply with the GDPR standard of being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn, if not you will need to change the mechanisms and seek a fresh consent.
Think about whether you need to put a system in pace to verify the age of individuals or obtain parental consent. The GDPR has special protection for children’s data particularly for commercial online services. If you offer anything online “information society services” to children which relies on consent to collect information then you will need guardian consent to be able to lawfully process the data. GDPR sets the age where a child can give consent as 16 (however the UK may make this 13) if a child is younger you will need parental consent.
9. Data breaches
You should check and document your procedures for a breach, you need to be able to detect a breach as well as investigate and report it to the ICO
The GDPR introduces a requirement for all organisations to report any breech of personal data within 72 hours, a breech is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
10. Data Protection by Design and Data Protection Impact Assessments
Private by design is good practice anyway however GDPR makes it a legal requirement. This means Data protection impact assessments are mandatory (DPIAs) are required for a few activities including when adopting new systems. If your DPIA finds a high risk which cannot be addressed you will need to consult with the ICO to ensure you comply with the GDPR.
You should assess when the situations will occur requiring a DPIA.
11. Data Protection Officers
You should designate someone to take responsibility for your organisations data protection compliance and asses where this role sites in your organisations structure. You should consider wether you are required to formally designate a Data Protection Officer (DPO) which you need if
– You are a public authority
– you monitor individuals on a large scale
– if you carry out large scale processing of special categories of data such as health records or information about criminal convictions
If you do need one it is important this person takes full responsibility and have the knowledge support and authority to carry out their role effectively.
If your organisation operates in multiple countries you should document your lead data protection authority which will be where your main establishment is. (the ICO in the case of the UK) This will apply only if you carry out cross border processing, such that you have establishments in more than one EU state.