GDPR Priorities

Posted by Andrew Ogilvie in IT News

General Data Protection Regulation (GDPR) is a new EU law that will replace the Data Protection Act 1998 (DPA) in the UK from 25 May 2018. Time is now ticking towards this date and even when the UK leaves the EU it is very likely that an equivalent law and similar provisions will continue to apply in the UK.

The UK's Information Commissioner Office (ICO) has identified 12 things that all businesses should do now to prepare for GDPR.

Here we summarise these and the key implications for your business.

1. Awareness Within Organisation

Make sure key decision makers in your organisation are aware of GDPR and compliance is a legal requirement. They need to appreciate the impact the changes will have and that resources need to be allocated in the right timeframe.

2. Review Personal Information Your Hold

Identify what personal data you are holding on individuals and where - an 'Information Audit'. 

Be aware that some information you hold might be in 'informal' formats such as emails, spreadsheets and word documents. These might be held not on central file stores or databases but on individual's computers or on cloud storage like dropbox. Consider too any external cloud applications you use to manage things like emailing lists, administer job applications or manage staff holidays.

3. Review Privacy Notices

Where you are collecting personal data you should already have privacy notices in place, however under GDPR there will be additional things you will have to tell people. For example:

  • explain your lawful basis for processing the data
  • your data retention periods
  • tell individuals that they have a right to complain to the ICO.

4. Meeting Individual's Rights

At present the DPA gives individuals rights to request data that is held about themselves - these are called subject access requests.

These rights are strengthened under GDPR to include, for example, the right to havedata about themselves deleted. Consider how you would handle such a request and whether you need new procedures in place to handle this and decisions related to this.

5. Subject Access Requests

Requirements to comply with these requests are is similar to existing ones under the existing Data Protection Act but normally they are no longer be chargeable (unless tney are excessive) and you will only have 1 month to comply (previously 40 days).

6. Lawful Basis for Processing Personal Data

You should identify the lawful basis for your data processing activity (with respect to personal information) and update your privacy notices to explain it.

We give below three common examples of "lawful basis" for processing data.

Contractual necessity
Personal data may be processed on the basis that such processing is necessary in order to perform or to enter into a contract with the individual.

Consent
Personal data may be processed on the basis that the individual has consented to such processing. If you use an individual's consent to the processing as your lawful basis then the individual will have stronger rights under GDPR to withdraw that consent.

Compliance with legal obligations
Personal data may be processed on the basis that the data controller has a legal obligation to perform such processing. Such obligations must be set out in EU or national law, must meet an objective of public interest and be proportionate.

7. Consent

Review how you seek, record and manage consent to process data. Consent must be freely given, specific, informed and unambiguous. Consent must be a positive opt-in so permission cannot be assumed as a default. Consent also has to be verifiable so keep an audit trail.

8. Children's Data

Consider if you are processing children's data and whether you need to start verifying individuals' ages and obtain parental/guardian permission for such processing activities.

9. Data Breaches

You need to have procedures in place to detect, report and investigate a data breach affecting personal data.

Under GDPR all organisations will have to report some types of data breaches to the ICO and in some cases to the individuals affected. Reporting breaches to individuals is likely to be mainly required for higher risk data breaches where typically the breach could cause discrimination, damage to reputation, financial loss or loss of confidentiality to the individuals affected.

10. Data Protection by Design and Default

Under GDPR the concept of  "privacy by design" becomes a legal requirement.

Privacy by design is an approach to projects that promotes privacy and data protection compliance as an essential and integral part of a project.

Only personal data necessary for a specific purpose is to be processed. The amount of data collected, the extent to which it is used, the period it is stored for and its accessibility are all to be kept to an absolute minimum.

Technical measures must be put in place to prevent access by unauthorised persons. In practical terms this is likely to mean data encryption, suitable physical and IT security and restricting access to data for personnel to an 'only as needed' basis.

You must implement appropriate technical and organisational measures to protect personal data, such as such as pseudonymisation to safeguard of data. Pseudonymisation is the separation of data from direct identifiers so that linkage to an individual's identity is not possible without additional information that is held separately.

Privacy Impact Assessments also become mandatory for specialist high risk data processing.

11. Data Protection Officer

You should assign responsibility for data protection compliance to someone in your organisation.

12. International

If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this. 

The lead authority is the supervisory authority in the state where your main establishment is. This is only relevant where you carry out cross-border processing – ie you have establishments in more than one EU member state or you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU countries.