The changes to data protection law (the General Data Protection Regulations, to give it its posh name) are coming at us in just over 4 months’ time on 25 May 2018.
With this in mind I have put together a handy check list to help you move GDPR from your ‘to do’ pile into your ‘doing now’ pile. If a list is too much for you – click here for our handy infographic which summarises these points.
Step 1: Assembling your team
Identify your team and start raising awareness. You might be a spoke in the wheel or leading the gig. Either way you need to gather your team now. Consider including HR, legal, compliance, IT, finance, marketing and research and development. You will need people from all these groups to give a proper oversight as to how data is received, stored, processed and destroyed within your organisation
It would be useful to start by looking at your organisation’s risk register, if you have one. Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You may find compliance difficult if you leave your preparations until the last minute. The good news is that if your organisation is already data protection compliant – you are already half way there.
Some very large organisations either must have or would benefit from having a Data Protection Officer – are you one of them?
Step 2: Conduct an Audit
You will need to know how big a job you have and a good place to start is with a data protection audit, which should show how data flows through your business and will help you develop a compliance plan. It will also help you identify the 4 ‘W’s’
- What you hold
- Why you hold it
- Where it came from
- Who you share it with
You will also need to ensure that any third party data processors that you have contracts with also comply with the GDPR. Identify these data processors (off-site payroll etc) as a starting point and ask them what they are doing to ensure they are GDPR compliant.
Step 3 – Review your privacy notices
You will have something like this already – but you might call it a ‘fair processing notice’. Either way, it will need a re-fresh. GDPR mandates a host of required information, which a data controller must provide to an individual data subject at the point at which personal data is collected. These include details of:
- the legal basis upon which personal data will be processed;
- how long personal data will be retained;
- if, and the extent to which, personal data will be transferred overseas, and, in the event that personal data will be transferred outside of the EEA, the appropriate safeguards in place to protect that data; and
- the mechanism by which an individual would make use of their data subject rights, including:
- how to make a subject access request; and
- how to request the deletion or rectification of personal data.
- Rights to object if employer relying on legitimate interest as legal basis for processing data
- Right to complain
Step 4 – Get to know individual data subject rights
This is an area of significant enhancement under GDPR – we like the summary: ‘delete it, freeze it or correct it’. Whilst rights vary- these only ‘kick in’ where there is a non-compliance with data protection principles. If you are in HR, expect your employees to be interested in these rights (there will be lots of publicity about them come May) and be ready if a challenge is presented.
Step 5 – Subject Access Requests – the changes
Mercifully, this is staying broadly similar to the current system but with some changes – out goes the 40 day time limit and a request for £10 – in comes responding ‘without undue delay and within one month unless the request is complex’ and no fee (unless the request is manifestly unfounded or excessive when a reasonable fee for administration costs can be requested). ‘Manifestly unfounded’?, ‘excessive’?, who knows that these mean? We will probably have to wait to get some decisions from the Information Commissioner’s Office (ICO) before we fully know the boundaries.
Step 6 – Get to know the lawful basis for processing data within your organisation
There must be a legal basis for processing personal data. This has not changed. Currently the majority of data controllers use ‘consent’ as their lawful basis for processing data. Changes under GDPR mean that if you wish to use consent, it will be much harder (see Step 7 below), and will not really work in an employment context. Other lawful bases include: processing is necessary for the performance of a contract or where there is genuine legitimate interest (including commercial benefit) to processing personal data.
Step 7 – Using consent as a lawful basis for processing – stop and think!
As mentioned above – there will be stricter conditions if the data controller wishes to rely on consent as its lawful basis for processing data. Under GDPR, consent must be freely given, specific, informed and unambiguous with a genuine free choice. This is a whole world away from a box to tick or untick and will be one of the areas where we will see the most changes.
Step 8 – Be ready to report Data Protection breaches
Much has been made of the tougher regime and fine structure of the new GDPR for data protection breaches and this shouldn’t be ignored. For organisations of 250 employees or less you will be required to maintain records of activities related to higher risk processing such as processing personal data that could result in risk to the rights and freedoms of individuals. If you are a 250+ employer, you must maintain additional internal records of your processing activities.
If there is either an accidental or deliberate personal data breach leading to loss, destructions or publication of personal data, your organisation must notify the Information Commissioner’s Office within 72 hours and a record must kept of all data breaches. There is no reporting requirement if the breach is unlikely to result in a risk to data subjects. In any event your organisation will need to have a clear policy as to how internal breaches are reported.
All this will lead to a greater emphasis on compliance and we all know that with compliance it is not just enough to comply, you will have to SHOW that you comply. In reality this is going to mean ensuring you have the right policies and procedures in place to show how you comply with DP. Start with dusting off all your current policies to assess how GDPR-ready they are, and if you don’t already have one a Data Protection policy will be the absolute starting point.
Step 9 – Data Protection Impact Assessments – the future starts here
The GDPR requires a data protection impact assessment under certain circumstances, including where the processing is likely to result in a high risk to the rights and freedoms of data subjects Therefore this will apply when the data controller implements new programs, systems, or processes, or when the data controller makes changes to programs, systems, or processes.
Get used to including a data protection impact assessment as part of any key project going forward.
Step 10 – Keep calm and keep checking the ICO website
You are not alone. Many organisation have left GDPR in the ‘too difficult’ pile. Rather like eating an elephant, it is always less daunting to do this in small bites. We are here to help with any of your data protection queries. Also, the ICO is a very useful resource and will be releasing several guides over the coming months. We will be keeping an eye on these too but here is the link for the curious. https://ico.org.uk/
email Anne-Marie or call 0117 325 0924