11 things you must do now for GDPR compliance
By Cloud Direct • 03 May 2017
On 25th May 2018, today’s Data Protection Act (DPA) will be replaced with the new General Data Protection Regulation (GDPR). This checklist highlights the 11 most important steps you can take now to make sure your data and processes remain compliant.
According to the Information Commissioner’s Office (ICO), if you’re already DPA compliant, then most of your approach to compliance will remain valid come May 2018. However, there are some differences in GDPR, which means you’ll have to do certain things for the first time and some other things differently. Before we get into the specifics, here’s an overview of the GDPR and what it means for businesses and individuals.
What is GDPR?
The point of the GDPR is to provide clarity and consistency for the protection of personal data. It imposes new rules on organisations that offer goods and services to people in the European Union (EU), or that collect and analyse data tied to EU residents, no matter where they’re located. The GDPR establishes:
- Enhanced personal privacy rights
- Increased duty for protecting data
- Mandatory breach reporting
- Significant penalties for non-compliance
What are the key changes with the GDPR?
There are four key focus areas of difference between GDPR and DPA compliance.
1. Personal privacy
With GDPR, individuals have the right to:
- Access their personal data
- Correct errors in their personal data
- Wipe their personal data
- Object to processing of their personal data
- Export personal data
2. Controls and notifications
The new regulations are amended in terms of:
- Strict security requirements
- Breach notification obligation
- Appropriate consents for data processing
3. Transparent policies
GDPR requires that organisations provide transparent and easily accessible policies regarding:
- Notice of data collection
- Notice of processing
- Processing details
- Data retention/deletion
4. IT and training
Businesses will need to invest in:
- Privacy personnel and employee training
- Data policies
- Data Protection Officer (if your business has 250+ employees)
- Processor/vendor contract
So what do you need to do to make all this happen? Here are 11 areas the ISO flags as being key areas to review.
11 things you must do now for GDPR compliance
1. Raise awareness across your business
The ICO urges businesses to start planning for GDPR as soon as possible, so you have time to address budgetary, IT, personnel, governance and communications implications.
Key people and decision-makers need to be aware of the new legislation, so they can understand the potential impact and identify areas that require attention for compliance. Start by looking at your risk register, if you have.
2. Audit all personal data
Document what personal data you hold, where it came from and who you share it with.
The GDPR updates rights for a networked world. It makes organisations responsible for proving they comply with the data protection principles, for example by having effective policies and procedures in place.
For example, if you become aware that you’ve shared inaccurate personal data with another organisations, it is your responsibility to inform the other organisation about this inaccuracy so it, too, can correct its own records.
3. Update your privacy notice
When you collect personal data, you probably use a privacy note containing DPA compliant information such as your identity and how you intend to use their information. Under the new regulations, you’ll have to tell people some additional things compared to the DPA. For example, you’ll need to explain:
- your legal basis for processing the data
- your data retention periods
- their right to complain to the ICO if they think there’s a problem with how you’re handling their data
So you’ll need to review your current privacy notices and put a plan in place to make any necessary changes by May 2015.
4. Review your procedures supporting individuals’ rights
The new legislation covers the same principles as the DPA, but with significant enhancements. The key thing here is to make sure you have the procedures in place so you can comply with, for example, an individual’s request to provide them with the data you have on them electronically and in a commonly used format.
The main rights for individuals under the GDPR are to:
- allow subject access
- have inaccuracies corrected
- have information erased
- prevent direct marketing
- prevent automated decision-making and profiling
- allow data portability (as per the paragraph above)
5. Review your procedures supporting subject access requests
Depending on the type and size of organisations, subject access requests could generate a logistical/administrative headache for many businesses.
Under the new rules, you are unlikely to be able to charge for complying with requests, and will have just a month to comply, rather than the current 40 days. There are also different grounds for refusing to comply with a subject access request, and if you refuse a request you need to have policies and procedures in place to demonstrate why the request meets these criteria.
You may want to consider conducting a cost/benefit analysis for providing online access to individuals.
6. Identify and document your legal basis for processing personal data
Under the GDPR, some individuals’ rights will be modified, depending on your legal basis for processing their personal data. For example, they could have their data deleted where you use consent as your legal basis for processing. So you need to understand the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
7. Review how you seek, obtain and record consent
If you rely on individuals’ consent to process their data, make sure it meets the standards required by the GDPR. If not, alter your consent mechanisms or find an alternative to consent. The GDPR is clear that data controllers must be able to demonstrate that consent was given. So you may need to review the systems you have for recording consent and ensure you have an effective audit trail.
8. Review data you hold on children
For the first time, the GDPR will bring in special protection for children’s personal data. So if your organisation collects information about children under the age of 13, you will need parental/guardian consent to process their data lawfully.
9. Establish procedures to detect, report and investigate a personal data breach
The GDPR requires that all organisations notify the ICO of all data breaches where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. So you need to set up processes to detect, report and investigate breaches.
Note that failure to report a breach could result in a fine, as well as a fine for the breach itself.
10. Review your processes around Data Privacy Impact Assessments (DPIAs)
You may be required to carry out a privacy impact assessment (PIA) in a high-risk situation such as a new technology deployment, or where operations are likely to significantly affect individuals.
To prepare for such an eventuality, the ICO recommends you familiarise yourself with their PIA Code of Practice so you can work out how best to implement DPIAs in your organisation. Think about where it might be necessary to conduct a DPIA in your organisation. Who will do it? Who else needs to be involved? Should the process be run centrally or locally?
11. Appoint a Data Protection Office (DPO)
If your organisation employees 250 or more people, is a public authority or is involved in the regular and systematic monitoring of data subjects on a large scale, you should appoint a data protection officer. The DPO should take proper responsibility for data protection compliance and have the knowledge, support and authority to do so effectively.
To find out how cloud IT can help you streamline your processes for GDPR, check out this blog: How cloud IT can help you prepare for GDPR.
Share this post