Getting ready for the GDPR

Designed to help you get your house in order, ready for the new data protection reform. Includes getting to grips with the new rights of individuals, handling subject access requests, consent, data breaches, and designating a data protection officer, under the upcoming General Data Protection Regulation.

Step

Awareness

Decision makers and key people in your business are aware that the law is changing to the GDPR and appreciate the impact this is likely to have. Your business has identified areas that could cause compliance problems under the GDPR and has recorded these on the organisation’s risk register. Your business is raising awareness, across the organisation of the changes that are coming.

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one. Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You should raise awareness of the changes that are coming. Do not leave your preparations until the last minute.

Step

Accountability

Your business has set out the management support and direction for data protection compliance in a framework of policies and procedures. Your business monitors compliance with data protection policies and regularly reviews the effectiveness of data handling / processing activities and security controls. Your business has developed and implemented a needs based data protection training programme for all staff.

The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasises their significance. The new accountability principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.You are expected to put into place comprehensive but proportionate governance measures. Good practice tools that the supervisory authority has championed for a long time such as privacy impact assessments and privacy by design are now legally required in certain circumstances. It is recommended that you implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies, staff training, internal audits of processing activities and reviews of internal HR policies. Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.

Step

Information you hold

Your business has documented what personal data you hold, where that data came from and who it is shared with. Your business has planned to conduct an information audit across the organisation to map data flows.

You must maintain internal records of processing activities. You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit across the organisation or within particular business areas to identify the data that you process and how it flows into, through and out of the organisation. The GDPR updates rights for a networked world. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with. You should document this. Doing this will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the GDPR principles, for example by having effective policies and procedures in place. If your organisation has more than 250 employees, you must maintain additional internal records of your processing activities. There are some similarities with ‘registrable particulars’ under the DPA which must be notified to the the supervisory authority. You must record the following information: * name and details of your organisation (and where applicable, of other controllers, your representative and data protection officer); * purposes of the processing; * description of the categories of individuals and categories of personal data; * categories of recipients of personal data; * details of transfers to third countries including documentation of the transfer mechanism safeguards in place; * retention schedules; and * description of technical and organisational security measures. If your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing, such as: * processing personal data that could result in a risk to the rights and freedoms of individual; or * processing of special categories of data or criminal convictions and offences. You may be required to make these records available to the relevant supervisory authority for purposes of an investigation.

Step

Data Protection by Design and Data Protection Impact Assessments

Your business has implemented appropriate technical and organisational measures to show you have considered and integrated data protection into your processing activities. Your business understands when you must conduct a DPIA and has processes in place to action this. Your business has a DPIA framework which links to your existing risk management and project management processes.

Under the GDPR, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities. Under the GDPR, this is referred to as data protection by design and by default. You should adopt internal policies and implement measures which help your organisations comply with the data protection principles – this could include data minimisation, pseudonymisation and transparency measures. As part of a data protection by design approach, the GDPR requires organisations to conduct data protection impact assessments (DPIAs) in specific circumstances. DPIAs are a tool which can help you identify the most effective way to comply with your data protection obligations and meet individuals’ expectations of privacy. An effective DPIA will allow you to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. You must carry out a DPIA where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of individuals. Processing that is likely to result in a high risk includes but is not limited to: * systematic and extensive processing activities, including profiling and where decisions that have legal effects – or similarly significant effects – on individuals; * large scale processing of special categories of data or personal data relation to criminal convictions or offences; and *large scale, systematic monitoring of public areas. It is recommended that you undertake a DPIA in cases where it is unclear whether doing so is required. The DPIA should contain the following information: * A description of the processing operations and the purposes including, where applicable, the legitimate interests pursued by the controller. * An assessment of the necessity and proportionality of the processing in relation to the purpose. * An assessment of the risks to individuals.The measures in place to address risk, including security and to demonstrate that you comply. A DPIA can address multiple processing operations that are similar in terms of the risks presented, provided adequate consideration is given to the specific nature, scope, context and purposes of the processing. You should start to assess the situations where it will be necessary to conduct one: * Who will do it? * Who else needs to be involved? * Will the process be run centrally or locally? If the processing is wholly or partly performed by a data processor, then that processor should assist you in carrying out the DPIA. It may also be appropriate to seek the views of data subjects in certain circumstances. Where a DPIA indicates that the processing would result in a high risk and you are unable to mitigate those risks by reasonable means, you will be required to consult the the supervisory authority to seek its opinion as to whether the processing operation complies with the GDPR.

Step

Data Protection Officers

Your business has designated responsibility for data protection compliance to a suitable individual within the organisation. Your business has appointed a Data Protection Officer (DPO) if you are a public authority or you carry out large scale monitoring of individuals or you carry out large scale processing of special categories of data or data relating to criminal convictions and offences. Your business supports the data protection lead through provision of appropriate training and reporting mechanisms to senior management.

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you will be required to formally designate a Data Protection Officer (DPO) and, if so, to assess whether your current approach to data protection compliance will meet the GDPR’s requirements. You must designate a DPO if you: * are a public authority (except for courts acting in their judicial capacity); * carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or * carry out large scale processing of special categories of data or data relating to criminal convictions and offences. The important thing is to make sure that someone in your organisation, (or an external data protection advisor), takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively.

Step

Lawful basis for processing personal data

Your business has reviewed the various types of processing you carry out. You have identified your lawful basis for your processing activities and documented this. You business has explained your lawful basis for processing personal data in your privacy notice(s).

You should look at the various types of data processing you carry out, identify your lawful basis for carrying it out and document it. Under the GDPR, some individuals’ rights will be modified depending on your lawful basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your lawful basis for processing. You have to explain your lawful basis for processing personal data in your privacy notice. The lawful bases in the GDPR are broadly the same as those in the DPA so it should be possible to look at the various types of data processing you carry out and to identify your lawful basis for doing so. You should document this in order to help you comply with the GDPR’s ‘accountability’ requirements.

Step

Consent

Your business has reviewed how you seek, record and manage consent. Your business has reviewed the systems currently used to record consent and implemented appropriate mechanisms in order to ensure an effective audit trail.

The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how you use their data. When consent is used properly, it helps you build trust and enhance your reputation. The basic concept of consent, and its main role as one potential lawful basis (or condition) for processing, is not new. The definition and role of consent remains similar to that under the DPA. However, the GDPR builds on the DPA standard of consent in several areas. It contains much more detail and codifies existing European guidance and good practice. You will need to review your consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn. The key new points are as follows: * Unbundled: consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service unless necessary for that service. * Active opt-in: pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (eg a binary choice given equal prominence). * Granular: give granular options to consent separately to different types of processing wherever appropriate. * Named: name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR. * Documented: keep records to demonstrate what the individual has consented to, including what you told them, and when and how they consented. * Easy to withdraw: tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place. * No imbalance in the relationship: consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis. You are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR. But it’s important to check your processes and records in detail to be sure existing consents meet the GDPR standard. On the other hand, if existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR-compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing. Your obligations don’t end when you get consent. You should view consent as a dynamic part of your ongoing relationship of trust with individuals, not a one-off compliance box to tick and file away. To reap the benefits of consent, you need to offer ongoing choice and control. Remember – you don’t always need consent. You should also assess whether another lawful basis is more appropriate.

Step

Children

If your business offers services directly to children, you communicate privacy information in a clear plain way that a child will understand. If your business offers ‘information society services’ directly to children, your business has systems in place to verify individuals’ ages and to obtain parental or guardian consent where required.

For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of internet services such as social networking. If you offer services directly to a child, you must ensure that you write your privacy information (such as your privacy notice) in a clear, plain way that a child will understand. If you offer information society services (services requested and delivered through the internet) directly to children, you must identify the most appropriate lawful basis for the processing. If you want to rely on consent as the lawful basis for your processing, you will need a parent or guardian’s consent or authority in order to process their personal data lawfully. (The GDPR states that parental/guardian consent for access to online services is required for children aged 16 and under – but note that it does permit national governments to provide for a lower age in law, as long as it is not below 13). If you offer information society services directly to children and choose to rely on consent, you should think about putting systems in place to: * verify the age of the individual; and * gather parental or guardian consent for the data processing activity where required.

Step

Communicating privacy information

Your business has reviewed your current privacy notices and has a plan in place to make any necessary changes in time for GDPR implementation.

You should review your current privacy notices and plan how to make any necessary changes in time for GDPR implementation. The GDPR sets out the information that you should supply and when you should inform individuals. The information you supply is determined by whether or not you obtained the personal data directly from individuals. See the table below for further information on this. Much of the information you should supply is consistent with your current obligations under the DPA, but there is some further information you are explicitly required to provide. The information you supply about the processing of personal data must be concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child; and free of charge. The table below summarises the information you should supply to individuals and at what stage.

Step

Individuals' rights

Your business has checked your procedures to ensure that you can deliver the rights of individuals under the GDPR.

You should check your procedures to ensure that you can deliver an individuals’ rights. The GDPR includes the following rights for individuals: * The right to be informed; * the right of access; * the right to rectification; * the right to erasure; * the right to restrict processing; * the right to data portability; * the right to object; and * rights in relation to automated decision making and profiling. On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy. The right to data portability is new. It only applies: * to personal data an individual has provided to a controller; * where the processing is based on the individual’s consent or for the performance of a contract; and * when processing is carried out by automated means. You should consider whether you need to revise your procedures and make any necessary changes. It requires you to: * provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. (Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.); and * provide the information free of charge. If the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible. However, you are not required to adopt or maintain processing systems that are technically compatible with other organisations. If the personal data concerns more than one individual, you must consider whether providing the information would prejudice the rights of any other individual.

Step

Subject access

Your business has reviewed your procedures and has plans in place for how you will handle requests from individuals for access to their personal data within the new timescales outlined in the GDPR. Your business has reviewed your procedures and has plans in place for how you will provide any additional information to requestors as required under the GDPR.

You should update your procedures and plan how you will handle requests to take account of the new rules: * In most cases you will not be able to charge for complying with a request. * You have a month to comply. * You can refuse or charge for requests that are manifestly unfounded. Excessive requests can also be charged for or refused. * Where you refuse to respond to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month. If your organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly. Where appropriate, you could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online.

Step

Data breaches

Your business has implemented appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively. Your business has mechanisms in place to assess and then report relevant breaches to the supervisory authority where the individual is likely to suffer some form of damage eg through identity theft or confidentiality breach. Your business has mechanisms in place to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.

The GDPR introduces a duty on all organisations to report certain types of data breach to the the supervisory authority and in some cases to individuals. You only have to notify the the supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed, such a breach is likely to have a significant detrimental effect on individuals – for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly. A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority. You may wish to assess the types of data you hold as part of your processing activities and document where it is likely that you would be required to notify the the supervisory authority or affected individuals if a breach concerning that data occurred.

Step

International

If your business operates in more than one EU member state, you have determined your business’s lead supervisory authority and documented this.

If your business operates in more than one EU member state you should determine where your lead supervisory authority is and document this (ie - you carry out cross-border processing – because your business has establishments in more than one EU state or you have a single establishment in the EU that carries out processing which substantially affects individuals in more than one EU state). The lead authority will be the supervisory authority in the state where your main establishment is. Your main establishment is the location where your central administration in the EU is or else the location of the establishment where the decisions on the purposes and means of the processing activity are taken and implemented. It may be helpful to map out where your organisation makes its most significant decisions about data processing. This will help to determine your main establishment and therefore your lead supervisory authority.