The General Data Protection Regulation 2016/679 (GDPR) will be implemented in the UK and across the EU from 25 May 2018. The build-up has been characterised by noise and scaremongering about fines and an endless supply of new GDPR ‘experts’.
However, whilst the Information Commissioner’s Office (ICO) and the Article 29 Working Party have some useful resources, there has been a notable lack of practical guidance. So, unless you have spent the past six years following data protection reform and especially if you are feeling like a GDPR straggler with only 100 days to go, you might need some practical tips.
An important thing to understand is that the GDPR is an evolution from and an enhancement of the provisions of the Data Protection Directive, implemented into UK law by the Data Protection Act 1998.
The GDPR makes today’s best practice under the Directive and Data Protection Act 1998 tomorrow’s minimum standard. If your organisation currently takes data protection seriously, you will be in a good position to approach the GDPR.
Understand why and how your organisation uses personal data
Start with the absolute basics – why and how does your organisation use personal data?
There are a lot of complex audit services that can help you understand your organisation’s use of personal data. However, if you have not hired expert auditors and there’s still a storeroom full of boxes to check and a suspicious number of old servers in the IT room, the first thing to do is to start listing why and how your organisation uses personal data.
If you don’t know where to begin, start by listing all the different departments which use personal data. Once you have your list of departments, list why each department uses personal data and how they use it.
At an organisational or departmental level, build a picture of how you store personal data and for how long you keep it. List all the decisions you make with personal data including any automated decision-making processes. Make sure you are clear about where you obtain personal data from and with whom you share it.
Test your organisation’s use of personal data against the GDPR
Use your understanding gathered in the audit to test your organisation’s use of personal data against the requirements of the GDPR, starting with the data protection principles (Article 5) (see Overview of GDPR: Data protection principles).
The first data protection principle (‘lawfulness, fairness and transparency’) requires you to have a legal ground (see Article 6 and Overview of GDPR: Lawfulness of processing) for the processing (or an exemption). List the various legal grounds for processing in the GDPR and then identify the grounds that are relevant to your organisation’s processing.
For public bodies, much of the processing will be on the grounds of tasks carried out in the public interest. Private organisations will often be relying on the grounds of consent or legitimate interests. Both private organisations and public bodies will process personal data on the grounds of contracts the data subject is party to and on the grounds of legal duty, such as regulatory obligations (Article 6).
Once comfortable with the various grounds on which you process personal data, check that your processing meets the requirements of the grounds. For example, if your processing is based on consent, is the consent freely given, specific, informed and unambiguous (Article 4)? Do you have an accessible record which demonstrates that the consent meets the relevant criteria and was given by a statement or clear affirmative action (Article 7)?
If you are relying on legitimate interests, have you carried out a legitimate interests assessment for the processing? Did the assessment give due weight to the rights of the data subject? Is there a proper record of the legitimate interest assessments to demonstrate compliance with the GDPR?
Remember that you may only process special category personal data (for example, medical information, biometric identifiers and information about a person’s sex life) in limited circumstances (Article 9) (see Overview of GDPR: Special categories of personal data).
When you have identified grounds for processing and checked your compliance against them, look at your compliance with the other data protection principles. Check that in accordance with the second principle (‘purpose limitation’) your organisation is not using personal data in a way that is incompatible with the purposes for which it was collected.
Ensure, as required by the third principle (‘data minimisation’), the personal data you use is sufficient to complete the purposes for which it is processed but limited to what is actually needed. Employ policies which encourage a culture of data minimisation (see Privacy standard (GDPR version)).
Under the fourth principle (‘accuracy’) you must make sure personal data is accurate and where necessary kept up to date. Remember that a small mistake (such as a misspelt name) can have big consequences.
The fifth principle (‘storage limitation’) stipulates that personal data must not be kept for longer than necessary. Check how long you need to keep personal data to complete certain tasks. Also check for any legal obligations or exemptions which require or allow you to keep personal data for longer. Once you have a clear picture, draw up a retention and destruction policy with regular review points for different types of personal data.
The sixth principle (‘integrity and confidentiality’) requires organisations to implement appropriate technical and organisational measures to ensure the security of the personal data they process. Security not only involves speaking to IT about firewalls and emails but also ensuring your organisation has appropriate training on data protection (see GDPR training materials). Ensure colleagues are aware of organisational data protection and security policies and their roles in keeping personal data safe (see also Articles 24 and 32).
Finally, be prepared to demonstrate your compliance with the principles and other aspects of the GDPR. Think about how to structure your data protection policies, procedures and record-keeping to demonstrate that you seek to keep to comply with the GDPR (see Demonstrating Compliance with the GDPR).
Focus on data subjects
The best way to improve data protection in your organisation is to put the data subject at the centre of your processes. Build processes which focus on transparency and data subjects’ rights. Do not treat data protection as an afterthought or tick-box exercise.
Use your obligation of transparency to inform your data protection policies and to meet the requirement to implement data protection by design and default throughout your organisation (see Overview of GDPR: Data protection by design and by default).
Once you are familiar with how your organisation uses personal data and assessed compliance against the data protection principles, get to grips with data subjects’ rights under the GDPR (see Data Subject Rights Under the GDPR).
Start with the requirement to provide data subjects with information about the personal data you process, commonly referred to as ‘privacy notices’ (see Updating Privacy Notices to Comply With the GDPR (Checklist)). Whether you obtain personal data from the data subject or from elsewhere, you have a duty (unless impossible or disproportionate or an exemption applies) to provide the data subject with a number of key pieces of information in a privacy notice. These include why you are processing personal data and your grounds for processing. You will also need to give the categories of personal data you are processing. For example, any special category personal data or information with a high-risk factor such as financial data you use. Explain where, how and why you use pseudonymised personal data.
Your privacy notice must also include the details of any parties you share personal data with. You should list the recipients by name, failing which you should give as much detail as possible about the categories of recipient. Be prepared to justify to data subjects and the ICO why you have taken this approach.
In addition to these pieces of information (and some others) you should give data subjects information about their rights (for example, the rights of access and rectification and the right to make a complaint to the ICO). You should also tell data subjects how long personal data will be stored.
An often overlooked but key obligation under the GDPR is the requirement to keep records of your processing (see Record of Processing Activities Under Article 30 (GDPR)). There is an overlap between some of the information which must be included in a privacy notice and that which should be kept in records of processing. Organisations should use the information in privacy notices to inform records of processing.
Once you are happy with your privacy notice and level of transparency, test compliance with data subjects’ rights (see Response procedures for data subject requests under GDPR). For example, test your subject access procedure to make sure you can locate and provide personal data of a data subject within one month (see Responding to Data Subject Requests Under the GDPR (Checklist)). Ensure that if requested by a data subject, you are able to rectify any inaccuracies ‘without undue delay’. Also familiarise yourself with data subjects’ new rights to be forgotten and data portability and under the GDPR.
- Get familiar with your organisation’s use of personal data and the data protection principles.
- Put data subjects at the centre of your processes when seeking to implement the requirements of the GDPR.
- Do not treat the GDPR as a box-ticking exercise. Paying lip service risks complaints from data subjects and enforcement action from the ICO. Could your organisation survive a big fine or operate without being able to process personal data on a temporary or permanent basis?
For more information on the GDPR, see Overview of GDPR.
For a checklist to assist with preparing for GDPR, see Preparing for the GDPR (Checklist).