Getting ready for GDPR - chapter 2

Part Two – external issues

In Part One of this series, we looked at some of the internal issues organisations need to come to terms with in their efforts to comply with the GDPR.

In this Part Two, we look at the outward-facing, public or third party-relationship issues that need to be grappled.

  1. Jurisdiction

If you are operating in the EU in more than one country, then you need to establish which local regulator will be your main supervisory authority. This will be where you have your “main establishment” (central administration or place where the main processing decisions are taken).

If you are outside the EU, you will still be subject to the GDPR if processing personal data about EU individuals in connection with:

  • Offering goods or services
  • Monitoring behaviour

In this case, you have to appoint an EU representative.

Priority Level – 1

  1. Breach management and notification

Data controllers and processors should develop, test and update internal breach notification procedures, including having incident identification systems and response plans. These need to be regularly tested and reviewed. Ensure there are templates and training so that everyone is aware of their roles and responsibilities.

Check your information security policy – have you put in place technical and organisational measures to render data unintelligible in case of unauthorised access?

Consider use of encryption both at rest and in transit since this helps to mitigate the potential risks of any security breach.

Ensure that your data processors are obliged to assist you in the case of breach and notify you in time.

Be aware of thresholds for notifying:

  • ICO – where there is a risk to rights/freedoms of individuals
  • Individuals – unless there is no high risk and measures in place (such as encryption) or if it would mean a disproportionate effort (in which case you have to adopt similar measure – for example a public communications campaign)

Priority level - 1

  1. Information Notice

Updating your information notice (AKA “privacy notice” or “privacy policy”) is one of the key public-facing compliance steps to take. You can’t realistically expect consumers and customers to believe you when you say that you are complying with the GDPR when you have a publicly accessible document that is out of date.

The aim of the notice is to provide transparency of processing. Despite the extra information you are required to provide the notice must be concise, intelligible and easily accessible way, using clear and plain language (especially when aimed at children)

GDPR requires new information to be contained in the notice, such as DPO contact details, the legal basis for processing and an explanation of an individual’s enhanced rights under the GDPR.

So, you need to ensure that the notice is properly flagged when data is collected directly. Where collected indirectly, ensure that you have processes in place to be able to provide the information within the appropriate time.

Finally, ensure your processors have the most up to date version of the notice(s) at or before point of collection.

Priority Level – 1-2

  1. Data Processing

If you are a data controller that has outsourced any functions (or plans to do so):

  • Identify all arrangements with third parties who are your data processors
  • Have you carried out (and documented) due diligence and audits?
  • Do they meet requirements of GDPR?
  • If not, they will need replacing and/or the agreements renegotiated
  • Ensure liabilities within your agreements are properly allocated – for example, does the data processor indemnify you for claims made against you by individuals as a result of something the data processor has or has not done
  • Develop templates for future use

If your business involves being a data processor for your customers:

  • Update your standard terms and conditions to reflect GDPR risk and appropriate allocation
  • Approach customers first to show willingness and awareness of GDPR
  • Prepare a “white paper” to share with customers which sets out system architecture, data flows and what you have done to drive compliance

Priority Level – 2

  1. Children

If you are collecting personal data of children (ie. less than 13 but watch out for local law changes to this), you will need parental consent. Do you have the systems in place to obtain and verify that permission?

Ensure information notices can be understood by audience and if relying on “legitimate interest” as a ground for processing, have you documented why your interests override the child’s?

Priority Level – 3-4 (depending in business activity)