By now, all organisations who deal with personal information should be aware of the GDPR that will come into force in May next year (see our first article GDPR: The Facts). In this article, the second in our series of GDPR blogs, Claire Wright, Data Privacy Officer at MHR looks at what organisations should be doing to become compliant in time for the GDPR deadline.
To recap on 25 May 2018 the GDPR will come in to force and replace current EU data protection legislation and influence the revision of the current UK legislation. Its purpose remains the same as the current regime: to protect the rights and privacy of individuals. The GDPR will apply to any company based in the EU and/or processing the personal data of EU citizens, leaving very few companies exempt.
Currently organisations who process personal data are required to register that they process personal data with the UK supervisory authority, the Information Commissioners Office (ICO), and pay a nominal fee. With GDPR you will need to physically demonstrate compliance.
What steps do we need to take to demonstrate GDPR compliance?
- Do you know what personal data you process and what purpose it is administered for?
- Can you demonstrate how you meet the obligations of GDPR?
- Have you looked at this across the organisation, not just in obvious departments?
To understand what personal data you process a data mapping exercise is needed. This activity will help create a personal data asset register which can be used to demonstrate and manage your GDPR compliance.
Accountability records must include details and evidence of:
- The lawful basis for processing
- The purpose for processing
- The categories of personal data being processed
- Details of any third parties engaged in the processing
- How long that data is retained for
- How that data can be accessed by the individual or details of how they can execute their rights in terms of that processing
- What technical and physical security measure are in place and their adequacy.
Appointment of a Data Protection Officer (DPO)
Public authorities and organisations who process personal data as a core activity or large scale processing of special categories of personal data, must appoint a competent DPO. What is classed as ‘large scale’ has not been defined but industry guidelines indicate 250+ employees and/or records as a guide.
The role of the DPO is to offer impartial advice and support in regards to all processing and legal activities. Having such a person within an organisation will deliver the confidence and governance required. Even if you are not prescribed by the GDPR to appoint a DPO there could be significant benefits in doing so.
The role of the DPO can be full or part time. Where it is carried out as a part time activity within a full time role there must be no conflict of interest in them being able to fulfil their role as DPO.
- Training and awareness programme
It is easy to be distracted by the technical controls we put in place to manage the security of our data but statistics show that 64% of data breaches occur due to human error in comparison to 16% due to cyber security. It is critical that employees understand their roles and responsibilities and that they are properly equipped through appropriate and regular training and awareness programmes. Organisations will need to be able to evidence that training has taken place.
- Privacy by Design
When new processes and/or products are introduced or changed it is important to ensure that they are reviewed against the provisions of the GDPR. Conducting a Privacy Impact Assessment (PIA) early in a project or implementation lifecycle will ensure that privacy risks have been identified, considered and planned. Remember to update your data asset register!
- Breach Management
72 hour compulsory breach notifications have been introduced under the GDPR for certain categories of breaches. This is to the regulator and may also include notification of the breach to the individuals concerned. Do you have a breach management process? If not you will need to implement one.
- Individuals rights
There are other rights. You need to familiarise yourselves with these and which are relevant to your processing activities. Remember though, where there is a legal basis for processing (except consent) the right to object and/or erasure would not be applicable.
The most common right is that of access to all personal data that an organisation process about them. This is an absolute right and can be requested at any time. Under the current legal framework you have 40 calendar days to respond to a request and can charge a nominal fee. Under GDPR the fee has been removed and the timeframe for delivery reduced to 21 calendar days. For some organisations this will have a resourcing impact.
- Data minimisation and retention
Keep it short and sweet. Only process the information needed to perform the task. When you start to process unnecessary data you put yourselves at potential risk of a breach and also assume the role of data controller!
We outsource our processing so GDPR does not relate to us.
Many organisations choose to outsource their payroll processing services. This can be attributed to numerous factors, of which resource and capability are the main drivers.
It is worth noting that outsourcing the processing does not outsource the responsibility. You should select a processor who can demonstrate they meet the obligations of the GDPR and are subject to written terms of processing and regular supplier due diligence audits/measures.
GDPR key stages:
- Ensure that Senior Management are clear and committed to the requirements of GDPR and are key sponsors to the project
- Conduct a data mapping exercise
- Appoint a DPO, if necessary
- Check that adequate privacy policies and procedures are in place
- Review privacy notices are accurate and easy to understand
- Understand what legal basis you are processing by, and where you rely on consent ensure that the conditions of GDPR are met
- Review retention periods and check records are being managed in accordance with these
- Have processes in place for dealing with individuals rights
- Check that there are written terms and contracts in place with data processors
- Ensure that adequate physical and technical security is in place.
The GDPR upon first glance may appear cumbersome and unyielding however the core principles should already be in place, and in the majority of cases will be. Start eating that elephant, understand what personal data you process, conduct a processing audit and map this against the new GDPR conditions. This will be the foundation of your compliance programme.
Let’s not waste any more time debating whether we need to comply, we do. Here at MHR we have compiled a handy GDPR self-assessment form to ascertain where you are in your GDPR compliance journey, and what your next steps need to be to meet the requirements for May 2018.
For more information about how MHR are helping organisations across the UK with their GDPR journeys, and what we can do to help you, please email firstname.lastname@example.org and one of our GDPR experts will be in touch.