From 25th May 2018, organisations will need to be able to show that they are ready for the new General Data Protection Regulations. With the ICO only due to release the final set of regulations in April 2018, the water is still a little murky as to what companies need to do. But, with hefty fines set for organisations who are found to be non-compliant, it’s something that is definitely worth getting your head around now. Especially as preparing your organising could take weeks - or even months.
Whilst we are not able to review your existing policies or advise on how to become compliant with the new regulations, we are on hand to answer any questions as best we can. But in the meantime, we have pulled out 10 key points from the ICO’s 12 step guide to preparing for GDPR.
1. Awareness
Everyone in your organisation needs to be aware of the new regulations, as well as your policies that are put in place to make sure you stay compliant. However, we know that the reality of everyone researching GDPR in their own time is easier said than done and the aforementioned murky water makes this even more difficult.
It’s a good idea to select a team of a few people who will be able to take responsibility of GDPR for your organisation. You can then make it one of their first tasks to present information back to everyone in the company in a format that’s easy (or at least easier) to understand - that way, everyone will be clear on what the new regulations are as well as their role in keeping compliant.
The team can be made up of employees who will then be in charge of the compliance of your organisation going forward, however you may meet the criteria to need to appoint a Data Protection Officer. This is something that your organisation will need to asses. More information can be found from Mac Roberts’ excellent article.
2. Data audit
You also need to be aware of all of the data you currently have. This means getting to grips with what the data is, how and why it was collected and where from, who it’s shared with, how long you have had it and the legal basis for processing the data.
This needs to be well documented and a clear audit trail should be kept.
If you hold incorrect data and it is shared with another organisation, it will be your responsibility to update them so that they can correct their records. Having a clear understanding of the data and information you hold will not only make things easier, but will help you to show that you are in compliance with the GDPR accountability principle.
3. Update your privacy information
Under the current data protection laws, you should have a privacy policy that tells people whose personal data you are collecting, who you are and how you plan on using their information.
By 25th May 2018, you will need to have updated your privacy policy by adding in the new required information.
This includes:
- Explaining your lawful basis for processing personal information
- Your data retention periods
- Making it clear than an individual has the right to complain to the ICO if they don’t think you are handling their data in a correct or fair manner
It’s essential that this information is presented in a clear and concise manner and that it is easy for people to understand - bear in mind that the average person isn’t likely to know what GDPR is or have been pre-exposed to the same terminology and research as you have!
You can read more about this from the ICO.
4. Understand the additional rights of individuals
Under GDPR, an individual’s rights are still the same as under the Data Protection Act. As you are highly likely to be compliant with the DPA already, there isn’t too much work to be done here.
However, it is paramount that you understand the additional rights of an individual under the new regulation and put in the appropriate procedures to make sure you can comply.
An individual now has:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability, which only applies:
- To personal data an individual has provided to a controller
- Where processing is based on the individual’s consent or for the performance of a contract
- When processing is carried out by automated means
- The right to object
- The right not to be subject to automated decision-making, including profiling
The right to data portability only applies in the instances mentioned above, however, it’s really important that you are able to provide data in a structured and commonly used machine-readable format. This should be done free of charge.
5. Prepare for subject access requests
A subject access request is when an individual may want to see a copy of the information an organisation might hold about them.
Currently you have 40 days to comply with an access request, however this will be changing to one month under GDPR. You will not be able to charge for complying with a request unless it is deemed to be manifestly unfounded or excessive, at which point, you can also refuse the request. If you do refuse a request, you must tell the individual why but also let them know that they have the right to complain to the supervisory authority and the right to a judicial remedy. This must be done without delay (again, within one month of the access request).
When you answer a subject access request, you will need to explain your lawful basis for processing personal data.
6. Make sure you have the correct lawful basis for processing personal data
You will need to document this clearly once you have identified what your process for sorting through personal data is. As previously mentioned, this will then need to be added to your privacy policy and will need to be detailed when answering a subject access request.
Under the current DPA, this doesn’t have many practical implications, however, under GDPR, some individuals’ rights will be modified depending on your lawful basis - most obviously, people will have a stronger right to have their data deleted if consent is used as the lawful basis.
As preparation, you should document the types of processing activities that your organisation carries out and clearly explain the lawful basis for each one.
7. Collect the right consent
If you are currently processing a lot of personal data, it’s important that you have a thorough understanding of where and how it was collected. If it was collected without the new rules around consent and you are relying on consent to process the data, you will need to refresh the contacts and get the right permissions to be able to carry on processing their data in line with the new regulations.
This needs to be done before 25th May 2018.
Any data that you currently hold that hasn’t been re-permissioned by this date can no longer be processed or used.
GDPR requires a new standard of consent that should be used as soon as possible in preparation for the regulations coming into place. It needs to be specific, clear and unambiguous. There should be no pre-checked boxes and the individual must clearly have the option to positively ‘opt-in’ with an understanding of what they are opting-in to. This consent must be properly documented and should be easily withdrawn.
It’s a good idea to familiarise yourself with consent in more detail and understand how this will affect your organisation. Silence, pre-ticked boxes or inactivity are no longer legitimate or valid forms of consent.
8. Prepare for data breaches
In an ideal world, there would be no data breaches, however, you should make sure that you have the right procedures in place to detect, report and investigate a personal data breach. When you document the types of personal data you hold, it would be a good idea to make a note of which ones could result in a breach that may need to be reported to the ICO and individuals.
Breaches that need to be reported to the ICO are those that could result in a risk to the rights and freedoms of individuals (for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage). In any of these circumstances, the individuals should also be notified of the breach.
It is important to remember that failing to report a breach is likely to lead to a fine in addition to the fine for the breach itself.
9. Make sure you have the right process in place for children’s data
The GDPR states that the age at which a child can give their own consent is 16 (however this might be lowered to 13 in the UK). This means that if you will be processing the personal data of anybody younger than the stated age, you will need a process in place that will verify their age so that you can obtain consent from their parent or guardian.
This brings in a new level of protection for children, particularly when they are signing up to online services and social networking sites.
You should remember that any consent needs to be verifiable and, when you’re collecting children’s data, you should have a privacy notice that is easy for children to understand.
10. Find your lead data protection supervisory authority
This is only relevant if you operate in more than one EU member state and you carry out cross-border processing - meaning that you have a single establishment in the EU that carries out processing, which substantially affects individuals in other EU states.
The lead authority will be the supervisory authority in the state where your main establishment (central administration) in the EU is.
The Article 29 Working Party have put together this information to help you identify your lead supervisory authority.
What to do next?
The best advice would be to get started sooner rather than later, but we know as well as anyone that there is a lot to think about and a lot to get your head around. If this is something you haven’t already started thinking about, you might find it really useful to go to an event (whether it’s in person or through a webinar) before you start reading around the subject.
You can search for free GDPR events in your location on Eventbrite.