There are hundreds of articles on the GDPR (General Data Protection Regulation) which give a basic overview, but very few that offer a practical, step by step guide to getting GDPR compliant.
Gartner estimate that by the end of 2018, over 50% of companies affected by the GDPR will not be in full compliance with its requirements. This could open the non-compliant companies up to the new fines. Serious offences could result in fines of up to to €20 million or 4% of a firm’s global turnover (whichever is greater).
PART 1 – Quick Summary of The GDPR
Having said there are lots of summary articles available, I still want to give a quick overview for people who have not heard of it.
- The GDPR will become effective on 25 May 2018
- The GDPR is Europe’s new framework for data protection laws – it replaces the previous 1995 data protection directive, which current UK law is based upon
- The Information Commissioner’s Office (ICO) will enforce the GDPR in the UK
- There are new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines
- Post Brexit the UK is implementing a new Data Protection Bill which will include all the provisions of the GDPR. There are some small changes but our own law will be largely the same
- Individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of personal data will be covered by the GDPR. “If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR,” the ICO says on its website.
- In the full text of GDPR there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation
- Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed
- For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place
- There’s also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person’s information they have to clearly explain that consent is being given and there has to be a “positive opt-in”
- The new regulation gives individuals the power to get their personal data erased in some circumstances. This includes where it is no longer necessary for the purpose it was collected, if consent is withdrawn, there’s no legitimate interest, and if it was unlawfully processed.
- the GDPR also gives individuals a lot more power to access the information that’s held about them. Under the GDPR requests for personal information can be made free-of-charge
Core Actors of the GDPR
- Data Subject – A person who can be identified directly or indirectly by means of an identifier. For example, an identifier can be a national identifier, a credit card number, a username, or a web cookie.
- Personal Data – Any personal information, including sensitive personal information, relating to a Data Subject. For example, address, date of birth, name, location and nationality.
- Controller – A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. For example, a controller can be an organization or CIO.
- Processor – A natural or legal person, agency or any other body which processes Personal Data on behalf of the Controller. e.g. a developer, a tester, or an analyst. A Processor can also be a cloud service provider or an outsourcing company.A natural or legal person, agency or any other body which processes Personal Data on behalf of the Controller. For example, a developer, a tester, or an analyst. A Processor can also be a cloud service provider or an outsourcing company.
- Data Protection Officer (DPO) – An individual working for a Controller or a Processor with extensive knowledge of the data privacy laws and standards. The DPO shall advice the controller or the processor of their obligations according to the GDPR and shall monitor its implementation. The DPO acts as a liaison between the controller/processor and the supervisory authority. A DPO for example can be a Chief Security Officer (CSO) or a Security Administrator.
- Recipient – A natural or legal person, agency or any other body to whom the personal data is disclosed. For example, an individual, a tax consultant, an insurance agent, or an agency.
- Third party – Any natural or legal person, agency or any other body other than the Data Subject, the Controller, the Processor and the persons who, under the direct authority of the Controller or the Processor, are authorized to process the data. For example, partners or subcontractors.
PART 2 – Practical Steps
The GDPR can be thought of as an amalgam of all the previous Data Protection best practices, with a hefty fine to make sure companies comply. If your company has followed all the Data Protection best practices then you just have to run an audit to check you fully comply and all your policies are up to date. If you have not followed best practices then you still have to run an audit, but you will end up with far more gaps to fill, which will require significant internal or external expertise to complete on time.
Here is a video from the ICO’s Information Commissioner, Elizabeth Denham on why Data Protection and GDPR is a board room issue.
- Identify key stakeholders – create a contact list that can be used as evidence of stakeholder awareness
- Raise awareness of key stakeholders – Make key stakeholders aware of new regulatory demands.
- Request key stakeholders to assess the consequences of GDPR on the parts of the organisation or processes they are responsible for.
- General awareness campaign – Plan for a more general awareness campaign across your business to educate staff on the changes to the current legislation and highlight how these changes will impact them
- RACI for GDPR readiness requirements – Clearly set out your business’s approach to the new GDPR legislation and assign responsibilities for managing the change
- Monitor compliance with data protection policies and regularly review the effectiveness of data handling and processing activities and security controls.
- Document data flow map – This should show how all personal data is processed. The documentation needs to meet the requirements of the authorities so it can be submitted at a later date.
- Include HR, CRM and Digital Marketing data
- Use a Data Lifecycle as a guide for the data flow maps
- The contact details of the Data Protection Officer should be included
- Any movement of data across borders should be documented
- Document any data processing you carry out, identify your lawful basis for carrying it out and explain your lawful basis for processing personal data in your privacy notice(s)
- Promote accountability and governance. Your business should put into place comprehensive but proportionate governance measures including:
- A privacy by design approach such as Privacy impact assessments
- Internal data protection policies
- Staff training
- Internal audits of processing activities
- Reviews of internal HR policies
- If your organisation has more than 250 employees, you must maintain additional internal records of your processing activities
- If your organisation has fewer than 250 employees you are required to maintain records of activities related to higher risk processing
- Privacy impact assessments. Implement a plan to introduce the new GDPR Data Privacy Impact Assessments (DPIAs) within your business. Implement procedures to link DPIAs to other risk management and project management processes.
- Appoint a Data Protection Officer (DPO) if you:
- are a public authority
- carry out large scale monitoring of individuals
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences
- Review your consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, opt-in, documented and easily withdrawn. Review the systems currently used to record consent and implement appropriate mechanisms in order to ensure an effective audit trail.
- Gap Analysis for communicating privacy information in a clear, plain way that a child will understand. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. Your business should:
- Read the ICO’s Privacy notices code of practice which reflects the new requirements of the GDPR
- Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
- Gap Analysis for DPA vs GDPR requirements for your business. On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. Your business should:
- Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format
- Check your current systems will support the rights of individuals under the new legislation e.g. deleting electronically held personal data on request
- Update your procedures and plan how you will handle requests within the new timescales
- Have policies and procedures in place to outline how any request refusals will be managed and demonstrate why the request meets these criteria
- Update your procedures and plan how you will handle the need to provide some additional information to people making requests, such as your data retention periods and the right to have inaccurate data corrected
- Consider conducting a cost/benefit analysis of providing online “self service” access.
- Prevent an attack from succeeding using the GDPR recommended techniques.
- Encryption – The GDPR considers encryption as one of the core techniques to render the data unintelligible to any person who is not authorized to access the personal data. (Article 32). The GDPR provides that in the event of a data breach, the Controller need not to notify data subjects if data is encrypted and rendered unintelligible to any person accessing it, thereby removing notification costs to the organizations.(Article 34)
- Anonymization and Pseudonymization – Data anonymization is the technique of completely scrambling or obfuscating the data, and pseudonymization refers to reducing the linkability of a data set with the original identity of a data subject. The GDPR states that anonymization and pseudonymization techniques can reduce the risk of accidental or intentional data disclosure by making the information un-identifiable to an individual or entity. (Recital 28)
- Privileged User Access Control – The GDPR implies controlling privileged users who have access to the Personal Data to prevent attacks from insiders and compromised user accounts. (Article 29)
- Fine-grained Access Control – The GDPR recommends adopting a fine-grained access control methodology to ensure that the Personal Data is accessed selectively and only for a defined purpose. This kind of fine-grained access control can help organizations minimize unauthorised access to Personal Data.
- Data MinimizationThe GDPR recommends minimizing the collection and retention of Personal Data as much as possible to reduce the compliance boundary. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (Article 5)
- Audit dataThe GDPR not only mandates recording or auditing of the activities on the Personal Data but also recommends that these records must be maintained centrally under the responsibility of the Controller. I.e. processors and third-parties must not be able to tamper or destroy the audit records. In addition to book-keeping, auditing also helps in forensic analysis in case of a data breach.
- Put mechanisms in place to detect, assess and then report any breaches to the ICO where the individual is likely to suffer some form of damage, e.g. through identity theft or confidentiality breach. Document the mechanisms and procedures.
- Review all contracts and data processing agreements made with processors and sub-processors and work out what amendments were required. Document the amendments
- Data Centralisation. The GDPR recommends centralised administration when dealing with security of multiple applications and systems as they help take immediate actions in case of a breach. Centralised controls also enforce uniformity across multiple targets, reduce the chances of errors on individual targets, and leverage the best practices across the enterprise. (Recital 36)
- Determine which data protection supervisory authority you come under if your organisation operates in more than one EU member state, you should.
- Put in place a standalone policy statement or a general staff policy on data protection. The policy should:
- set out your business’s approach to data protection together with responsibilities for implementing the policy and monitoring compliance
- be approved by management, published and communicated to all staff
- be reviewed and updated at planned intervals or when required to ensure it remains relevant.
- Brief all staff handling personal data on their data protection responsibilities. This should include:
- induction training – provide awareness training on or shortly after appointment;
- communication and updates to all staff at regular intervals or when required (for example, intranet articles, circulars, team briefings and posters); and
- specialist training for staff with specific duties, such as marketing, information security and database management.
- Register with the Information Commissioner if you are a Data Controller. If you are processing personal data within your business. You should:
- record the types of personal data you hold and why; and
- ensure you notify the ICO on an annual basis so that the details can be recorded on the public register of data controllers.
- Check your business complies with DPA and other codes and regulations (e.g. PECR, DMA Code, CCTV Code etc) prior to GDPR
- If you are sharing data your business needs to inform individuals about the sharing of their personal data and follow the GDPR rules, which are very similar to DPA.
- Risk register
- Stakeholder list with evidence of stakeholder awareness
- RACI for GDPR Readiness
- Data flow map highlighting personal data processing
- Regular meeting with senior stakeholders to monitor compliance
- DPIAs with actionable results
- Implement a programme to prevent an attack from succeeding using the GDPR recommended techniques
- Document techniques used to prevent an attack from succeeding
- Review of consent mechanisms and systems
- Gap Analysis for communicating privacy information
- Gap Analysis for DPA vs GDPR requirements for your business
- Document procedures to detect, assess and then report any breaches to the ICO
- List contracts and data processing agreements with processors and sub-processors and document amendments that are required
- Document the data protection supervisory authority you come under
- Standalone policy statement or a general staff policy on data protection
- Brief all staff handling personal data on their data protection responsibilities
- Audit for Compliance with DPA and other regulations prior to GDPR
Please give feedback below to help improve the article.