Synopsis
As many of you may be aware the General Data Protection Regulation (GDPR) was adopted on 27th April 2016 and becomes enforceable from 25 May 2018. GDPR applies to you if you are a data controller or processor of personal information.
We appreciate that many organisations might not have the resources to manage GDPR or not know what steps to take to ensure they comply with the regulations. We highly recommend you hire a data protection officer who can look into your requirements and for a start we have summarised the 12 quick steps you can take to help you move ahead towards compliance which have been compiled using various sources listed below including ICO guidelines.
Definitions
Data Controller: means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data
Data Processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Risk register: is a risk log and is a master document which is created that plays an important part in your Risk Management Plan, helping you to track issues and address problems as they arise. Likelihood of the risk occurring and how severe will be the consequences are the 2 factors used to calculate risk for each issue
12 quick steps to GDPR
1. Awareness
- Make important people aware that the law is changing to GDPR
- Start organization’s risk register, including GDPR risks
2. Information you hold
- Conduct information audit on personal data that you hold, and document, what, where you collect, whom you share, how long you hold the information
- If you have inaccurate data, you need to inform the organisation you share this with so that they can correct it if they want. (https://ico.org.uk/for-organisations/guide-to-data-protection/principle-4-accuracy/)
- Ideally create a security document explaining how data is protected, network diagram etc.
3. Communicating privacy information
Review privacy notices, and make changes for GDPR. You need to inform in the privacy page
- Your identity
- How you intend to use their information
- Lawful basis for processing the data
- Data retention periods
- Inform individuals that they have a right to complain to the ICO if there is a problem
4. Individual’s rights
Check your procedures and cover all the rights that individuals have (to be informed, access, rectification, erasure, restrict processing, data portability, object, not to be subject to automated decision-making) and focus on
- How you would delete personal data
- Provide data electronically and in a commonly used format on request
5. Subject access requests
You should update your procedures and plan how you will handle requests within the new timeslines (30 days) and provide any additional information.
6. Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it. In most cases “consent” will be the lawful basis for processing, but this means individuals have the right to delete their information.
7. Consent
You should review how you seek, record and manage consent and whether you need to make any changes.
Refresh existing consents now if they don’t meet the GDPR standard.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of consent by default.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Be specific and granular. Vague or blanket consent is not enough.
- Be clear and concise.
- Name any third parties who will rely on the consent.
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what you told people.
- Keep consent under review, and refresh it if anything changes.
- Avoid making consent a precondition of a service.
8. Children
If Kids use your system and they give their details
- Put systems in place to verify individual’s age (to check if parental consent is needed)
- Obtain parental or guardian consent for any data processing activity.
9. Data breaches
- You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- The Data Protection Authority you need to inform depends on the country eg in the UK its “The Information Commissioner’s Office (https://ico.org.uk)” and in Germany its “Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (http://www.bfdi.bund.de)” full list in all EU countries can be seen here http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
- If a data breach does happen you need to inform the DPA when feasible ideally within 72 hours unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
- More details can be seen at https://gdpr-info.eu/art-33-gdpr/
10. Data Protection by Design and Data Protection Impact Assessments
Carry out Privacy Impact Assessments (PIA) to contain risks; some of the ways that this risk can arise is through personal information being:
- Inaccurate, insufficient or out of date;
- Excessive or irrelevant;
- Kept for too long;
- Disclosed to those who the person it is about does not want to have it;
- Used in ways that are unacceptable to or unexpected by the person it is about; or
- Not kept securely.
A PIA should incorporate the following steps:
- Identify the need for a PIA
- Describe the information flows
- Identify the privacy and related risks
- Identify and evaluate the privacy solutions
- Sign off and record the PIA outcomes
- Integrate the outcomes into the project plan
- Consult with internal and external stakeholders as needed throughout the process
11. Data Protection Officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
12. International
If your organisation operates in more than one EU member state or if you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states, you should determine your lead data protection supervisory authority which is usually where your main establishment is
References
This document has been prepared based on various documents including
- https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
- https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design
- https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/
- https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
- https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf
- http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm
- https://ico.org.uk/for-organisations/guide-to-data-protection/principle-4-accuracy/
- https://gdpr-info.eu/art-33-gdpr/
- http://ec.europa.eu/newsroom/article29/news.cfm?item_type=1358&tpa_id=6936