Getting ready for GDPR

Introduction

With less than 1 year to go until the GDPR comes into force, there is no end of information out there on what organisations need to do to get themselves ready for GDPR compliance.

But in this 2-part series, we aim to draw it all together with some practical advice – Part One focusses on issues that can be characterised as “internal” to your organisation. Part Two will focus on the outward facing issues.

Whilst you will be required to comply with the GDPR 100% from day one, clearly you need to prioritise your efforts. For each we have tried to give some idea of the priority level you should give to this issue – whether it is to do with the implications for getting it wrong or the length of time it might take to getting it right, meaning that you should be starting as soon as possible.

Part One – Internal Issues

  1. Awareness

GDPR compliance is going to need an allocation of resources both in terms of people and money. Plus the fact that it needs to be approached on a cross-organisational basis, the obvious starting point is that awareness across the organisation, and most importantly at board level, is a must.

Budget needs to be allocated and project leaders with the right skill sets and experienced need to be appointed in each business unit.

Priority Level – 1

  1. Data Mapping

The aim here is to get an idea of the scale of the issue and hopefully the result will be a clearer idea on how your organisation collects, stores, uses and transfers personal data.

The exercise (for each function that “touches” personal data) needs to address the following questions:

  • How is personal data collected – in what scenarios? CV’s, forms, support requests; directly, from public sources or third parties?
  • Whose personal data is collected – staff, clients, prospects, members, complainants?
  • What personal data is collected – personal details, dates of birth, financial, health?
  • When is it collected and how long retained?
  • Why is it collected – staff admin, client admin, legal (eg. Anti-money laundering or know-your- client requirements), marketing, profiling
  • Where is it processed – manual, electronic, in-house, outsourced, external/cloud hosting and in what jurisdiction?

The outputs from the above exercise should then enable you to build up the necessary records of your data processing activities (one of the requirements of the GDPR) and also to help develop your privacy policy (known as an “information notice” in GDPR-speak). We will look at how to upgrade your privacy policy in Part Two

Priority level – 1

  1. Processing grounds

Once your data map is completed, for each processing activity you need to check you have the legal grounds for processing that personal data.

For personal data these include:

  • Consent (more on this below)
  • Processing is necessary for performing a contract with the individual
  • Processing is a legal necessity
  • Processing is in the vital interests of individual
  • Processing is in the public interest
  • Processing is in your organisation’s legitimate interest (note this cannot be used by public bodies)

For special categories of personal data (what used to be known as “sensitive personal data”), lawful processing grounds include:

  • Explicit consent
  • Carrying out of obligations in relation to employment, social security or social protection or collective agreement
  • Vital interests (where the individual is physically/legally incapable)
  • Healthcare data and social care

You need to demonstrate and record that the above has been checked and then ensure that your information notice highlights the above grounds for lawful processing.

Priority Level - 2

  1. Consent

If your organisation relies on consent as a ground for lawful processing, then you will need to check that any historic consents will remain valid under the GDPR. To be valid, the consent must be clearly informed, distinguishable & specific to the processing (ie. not bundled), unambiguous and freely given.

There is a useful checklist in the Information Commissioner’s Office draft guidance here.

Priority level – 1 to 3 (depending on business activity)

  1. DPO

Some organisations are required to have a data protection officer (DPO) under the GDPR. It is mandatory for:

  • Public authorities
  • Organisations whose core activities involve:
    • Regular & systematic monitoring on a large scale (eg profiling/tracking)
    • Large scale processing of sensitive data or criminal records

If your organisation falls within the above criteria then do check the EU guidance here.

Even if not mandatory, having a DPO within your organisation is a good way for you to demonstrate your accountability – ie that you are prioritising privacy and “baking” it into your organisation’s DNA.

Priority Level 2

  1. Insurance

Some of your liabilities under the GDPR may be covered under one or more of your business insurance policies. But don’t just assume that your “Cyber Insurance” policy will cover you for more than basic first party (ie. your) costs. For example, will it cover you for actions for damages brought by your customers in the event of a security breach? What about claims brought by individuals who have been affected by the breach? And it is highly unlikely that any basic cyber insurance policy will cover you for regulatory fines and penalties.

So if insurance plays a central part in your business risk mitigation strategy, make sure you look at the cover carefully – particularly the exclusions and limitations. Have you complied with the conditions of the policy?

Priority Level – 2-3

  1. Privacy by design/default

What steps are you taking to ensure that privacy is “baked-in” to your organisation? You should be allocating responsibility and budget to implement a full compliance program incorporating audits, HR and other policy reviews and updates and training/awareness programmes. These should be integrated across the organisation – for example – retention periods, marketing, cookie use, employee data, advertising, BYOD and social media

Steps should be taken to minimise the use of personal data - for example do all classes of employees need to have access to all categories of personal data? Might pseudonymisation be used more widely?

Also, consider the rolling out of privacy impact assessments to identify and minimise non-compliance risks – particularly before any “high risk” processing activity. Templates should be published and training implemented. The result should be an assessment of need, proportionality, risks and mitigation measures – for example, safeguards and security measures.

Priority Level - 3

  1. Demonstrability/Accountability

Whilst this is a less specific, and less easily identifiable requirement of the GDPR, it nevertheless goes to the heart of the compliance burden – in short, how can you show that you are complying with the law?

It needs processes and policies which require records of organisation processing activities to be implemented. It is not a one-off exercise but a living process – continuous and evidenced paper trails. Always dynamic, never complete.

In the absence of any certified code of conduct (and keep checking any trade associations or industry sector initiatives for these), can you use any of the ISO standards to drive good information governance?

In the meantime, ensure you have implemented staff training and awareness which is appropriate to the business activity (and makes sure records are kept!). Also, think about ad hoc testing and audits – are your procedures and policies being followed and do they work? For example – does everyone know what they need to do in the event of a security breach?

Priority Level – 3-4