How can you ensure your company is GDPR compliant?
There are five phases of work that can help ensure that your company is compliant with GDPR.
1 Discovery
Identify what personal data your organisation holds and where this is stored.
Know what information your organisation holds
In order to protect the personal data that your organisation holds, the flows of personal data into and out of the business should be mapped, documented and routinely updated. This data mapping exercise will allow your organisation to ensure that it has a dynamic record of all the personal data held by the organisation, and to use that documentation as the basis of providing documentary evidence of compliance with the 7 Principles of the GDPR.
The data mapping flows should include:
- All data fields collected
- The source of the data
- The volumes of data collected
- The location of the data (servers, websites, platforms, apps, cloud, email etc.)
- The purpose for which the data is used
- Who, internally and externally, may access the personal data, and by what method
- To whom is the personal data transferred and by what method
- For how long the personal data is retained and for what reason
State your lawful basis for processing personal data
Once the data mapping task is complete, your organisation will need to undertake the formal process of confirming, documenting and filing the legal basis on which it collects personal data. Defining the legal basis for processing is a key requirement under GDPR, and failure to do so is considered one of the most serious offences.
the flows of personal data should be mapped, documented and routinely updated
2 Management
Manage and communicate how personal data is accessed, collected and used.
Communicate privacy information
When you collect personal data you have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a ‘privacy policy’ (in some companies this is called a 'privacy notice'). You must also tell people your ‘lawful basis’ for processing the data, how long you plan to keep their information and that they have a right to complain to the Information Commissioner’s Office (ICO) if they think there is a problem with the way you are handling their data. GDPR requires this information to be provided in concise, easy to understand and clear plain English. If you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation so it can correct its own records.
When you collect personal data you have to give people certain information, such as your identity and how you intend to use their information.
There must be a positive opt-in; consent cannot be inferred from silence, pre-ticked boxes or inactivity
Gain consent
Review how you seek, record and manage consent. Consent must be freely given and the message around it must be specific, informed and unambiguous. There must be a positive opt-in; consent cannot be inferred from silence, pre-ticked boxes or inactivity. It must also be separate from other terms and conditions, and you must have simple ways for people to withdraw their consent. Consent has to be verifiable and people generally have more rights where you rely on consent to process their data.
Name your Data Protection Officer (if applicable)
Designate someone to take responsibility for data protection compliance, if you don’t already have someone in this role.
Top Tip
Remember only the following organisations require a Data Protection Officer:
- 1. Public authorities
- 2. Organisations that engage in large-scale systematic monitoring
- 3. Organisations that engage in large scale processing of sensitive personal data
If relevant to your business, put systems in place to verify people’s ages and to obtain parental or guardian consent for any data processing activity
Protect children
GDPR introduces special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. If relevant to your business, put systems in place to verify people’s ages and to obtain parental or guardian consent for any data processing activity. Children can give their own consent to processing at age 16 (although this may be lowered to 13 in the UK). If a child is younger, you will need to get consent from a person holding ‘parental responsibility’.
International - know which rules apply
If your business operates in more than one EU member state, find out which will be your lead data protection supervisory authority and make sure you apply the relevant rules.
They may be varations on GDPR in different EU member states
3 Protection
Establish control measures to prevent, detect and respond to data breaches and infrastructure vulnerabilities.
Deal with data breaches
Make sure you have the right procedures in place to detect, report and investigate a personal data breach. You may need to notify the ICO (and possibly some other bodies) if you suffer a personal data breach that is likely to result in anyone being at risk of discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. You will also have to notify the people affected.
Security actions
Organisations have to demonstrate the security of the data they are processing. They will also have to implement substantial technical and organisational measures to demonstrate their compliance with the GDPR on a continual basis. GDPR has specific instructions for what types of security action are required for:
in the event of a data breach you must notify the people affected
1
The encryption and pseudonymisation of personal data.2
Organisations should make provisions for regular testing, assessment, and evaluations of the effectiveness of technical and organisational policies for ensuring the security of the data3
Provisions for confidentiality, integrity, availability, and resilience of processing systems and services.4
In the event of a physical or technical incident, organisations are entitled to restore the availability and access to personal data in a timely manner.
4 Reporting
Acting on data requests, reporting data breaches & maintaining required documentation.
Be aware of people’s rights
Check your procedures to make sure they cover people’s rights, including how you would delete their personal data or provide data electronically and in a ‘commonly used format.’ People have many rights, including to be informed, access their information free-of-charge, have it deleted and not to be subject to automated decision-making, including profiling.
People have more rights about the way their data is treated and used
The number of days within which you must comply has been reduced from 40 to 30
Handle subject access requests
Update your procedures on how to handle requests to provide any additional information. Under the new rules, you will have a month to comply, rather than the current 40 days, and you can refuse or charge for requests that are ‘manifestly unfounded’ or excessive. If you refuse a request, you must tell the person why, and let them know that they have the right to complain to the supervisory authority and to a legal remedy.
5 Demonstrate Compliance
The principle of accountability.
The principle of Accountability requires all organisations who process personal data to demonstrate compliance with the other 6 Principles. In practice, this means that your company must ensure that it:
- Establishes an internal governance structure which fosters a culture of data privacy from the
top down, including:
- designating an individual to be accountable for data protection within the organisation.
- inclusion of data protection within Board and Trustee meetings, and minuting of such discussions.
- the establishment of a specific data protection location (electronic and/or physical) where all data protection evidenced documentation is stored and accessible.
- Maintains data inventories and records of data processing activities.
- Develops, maintains and reviews data protection policies addressing the key GDPR requirements.
- Trains all personnel who process personal data in data protection in general, and the organisation’s data protection policies specifically.
Based on what you've just learnt, identify which of the 5 phases the following statements fall into. Don't forget, you can always refer back to the information above should you get stuck.
Map the flows of information and data through your organisation.
Which of the 5 steps does this fall into?