There are lots of people offering advice on GDPR, but essentially, the go-to authority is the ICO who will be monitoring and enforcing compliance upon the launch of the regulation on 25th May 2018. The ICO are saying that the foundations of the GDPR can be found in the current Data Protection Act (DPA), and that those who are compliant with this will be able to ‘add’ and ‘enhance’ what they are doing to ‘upgrade’ to GDPR compliance. To what extent this is ‘softening the blow’ isn’t yet determinable, but one thing is for sure, every organisation will have some work to do as a result.
Currently the ICO have published a ’12 steps to take now’ guide, and some helpful blog articles expounding on their website ico.org.uk. To ‘nutshell’ this information;
Be aware that GDPR is coming and consider the likely impact on your organisation.
2) Information you hold
An information audit may be helpful to document what personal data you hold, it’s source and who has access to it.
3) Communicating privacy information
Review your current privacy notices against GDPR guidelines to establish what changes may be necessary.
4) Individuals’ rights
Check that your procedures cover the rights of the individual, specifically, if requested, how you would delete or provide their data electronically in a commonly used format if requested.
5) Subject access requirements
Update your procedures along with timescales for responding to requests for information.
6) Lawful basis for processing personal data
Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
Review and adjust how you seek, record and manage consent to comply with the GDPR standard. Where existing data doesn’t conform, refresh the consents now.
Consider if age verification and parental/guardian consent will be necessary for any of the data you hold.
9) Data breaches
Ensure that you have the required procedures in place to detect, report, and investigate a personal data breach.
10) Data protection by Design and Data Protection Impact Assessments
Familiarise yourself with the ICO’s Privacy Impact Assessment code of practice, and the latest guidance from the Article 29 Working Party in order to establish a timeline for implementation within your organisation.
11) Data Protection Officers
You may need to designate a Data Protection Officer, but at the very least you will need to assign somebody to be responsible and accountable for data protection compliance within your organisation.
If you carry out cross-border processing i.e. operate in more than one EU member state, you will need to refer to the Article 29 Working Party guidelines to determine your lead data protection supervisory authority. (There are specific guidelines around transfers of personal data or third countries or international organisations.)
The ICO have launched a Data Protection self assessment with specific reference to Getting Ready for the GDPR this 5 step multiple choice survey calculates your readiness on the basis of your status in the applicable planning and implementation stakes. It covers all of the ‘12 steps’ outlined above in a somewhat interactive way, with the addition of ‘Accountability’ (framework of policies and procedures, compliance monitoring). The end result will give you a rating with suggested actions.
Importantly, there is a need to demonstrate your compliance with GDPR, this is detailed in their ‘Accountability and Governance’ document but as an overview involves;
· internal policies, training, audits and reviews
· maintaining relevant documentation on activities
· appointing a Data Protection Officer (where appropriate)
· implementing measures meeting principles of ‘data protection by design and default’ (including minimisation, pseudonumisation, transparency, monitoring, improving security, impact assessments)
There are also approved codes of conduct and certification schemes which you can commit to adhere to (which are similar to those outlined above).
If the terminology ‘privacy by design’ is new to you then essentially it refers to an approach to building systems that store or access data whereby minimising privacy risks and building trust are prioritised. This impacts the development of policy, legislation or strategy with privacy implications, data sharing and using data for new purposes. Privacy Impact Assessments are core to the privacy by design approach helping to identify and reduce privacy risks and potential harm through misuse.
Changes in consent are some of the key action points to implement and involve providing individuals with genuine choice and control. All organisations are responsible for reviewing existing consents and mechanisms to ensure they meet the GDPR standard which is outlined as;
· Positive opt-in is required, any means of consent by default is deemed unacceptable, such as pre-ticked boxes.
· All consent needs to be evidenced, as does the means of obtaining it (who, when, how, what).
· Consent requests need to be kept separate from other terms and conditions with specific, clear concise statements around how people are consenting to have you use their data, and any third party exposure. This needs to be granular where there are distinct processing operations.
· The right to withdraw consent must be clearly outlined.
· Consent cannot be attached to the right to service.
If consent is a challenge in your context, there may be a case for ‘another lawful basis’ but this is restricted to the following dispensations;
· Collecting/holding/using data in order to fulfil an order for goods or services, or obligations under an employment contract.
· Where data is required for processing by UK or EU law, or fulfils a public task.
· Where data is required to protect someone’s life (the data subject or someone else).
· Legitimate interests – ‘as a private-sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individuals rights and interests.’
The rights of the individual are determined under GDPR as being;
To be informed, to have access, to rectify, to erase, to restrict processing, to object, to port data for their own purposes and to make decisions around automated decision making and profiling.
The GDPR will impose a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the affected individuals. A data breach is defined as where a breach of security leads to the ‘destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’ A breach only needs to be reported to the supervisory authority where it is likely to result in a risk to the rights and freedoms of individuals. Where that breach is likely to result in a high risk to the rights and freedoms of individuals, they must be notified directly. Breach notifications need to comprise of certain information and be completed within 72 hours of an organisation becoming aware of it. It is important to have procedures in place for this eventuality, along with robust detection, investigation and internal reporting procedures.
So whilst there is lots to consider with the new GDPR legislation coming into place, the ICO are providing guidance, and helping organisations to prepare for implementation. With many voices giving their perspective on GDPR there is a danger that aspects are being misrepresented. As an organisation, NetXtra are taking our lead from the ICO, and starting to make relevant changes to internal policies and procedures now to prepare. Although it can be perceived as a major disruptor, GDPR can be embraced as a motivator for reviewing the way we do things in a positive way. NetXtra have chosen to embrace the latter and break down the large subject into the more manageable chunks outlined above. We hope you find this helpful.
Largely, GDPR requires organisation-wide policies to be drawn up, agreed and implemented, with the outcomes mostly affecting how data is managed, stored and shared, which could impact how you use your CRM and backup processes. You can read about NetXtra's position on GDPR here. If you would value a discussion the ramifications of GDPR on your systems, then please do get in touch.