GDPR - what to do now...
by Mandy Webster (comments: 0)
What organisations need to know now...
GDPR assumes compliance with current data protection requirements, if you are in any doubt as to current compliance undertake an audit as a necessary first step.
The seismic shift in compliance culture
Under GDPR it will no longer be possible to be reactive to data protection problems, the whole thrust of the regulation is to make organisations consider the risks inherent in personal data processing and manage them proactively and appropriately. There is a new “Principle of Accountability”, meaning that organisations are accountable for the compliance of their personal data processing operations. Organisations will need to demonstrate that they comply with GDPR and how that is achieved.
We recommend that data protection roles and responsibilities are clearly defined in a Data Protection Policy and, depending on the risks presented by the data processing operations of business activities, adopting appropriate policies and procedures such as Telephone Call Recording Procedures, Archive and Document Retention Procedures, Home Working Procedures and Data Sharing Protocols. This will help to evidence risk management controls.
There are new record keeping requirements in GDPR too, more detailed requirements than are currently on the ICO register of data controllers. GDPR requires that each processing operation should be documented. If there is a problem, the ICO will expect organisations to make this documentation available to it, to provide information about those processing operations.
So, as a next step, organissations need to identify their data processing operations, identify databases, what data is held, what it is used for, who it is shared with and how long it is retained. This “Information Asset Register” helps to demonstrate risk management controls, after all if you don’t know what data you are processing, how can you evidence that you are compliant? As a practical point, allocate a “business owner” to each data set because, although IT is responsible for the systems functionality, they are not responsible for the business data and it helps to make it clear who is responsible for it. An independent audit can be a good way to start to build the Information Asset Register and access specialist guidance on implementing risk management controls.
Designated Data Protection Officers
GDPR requires certain organisations to designate a Data Protection Officer (“DPO”). Public bodies, other organisations that undertake some of the tasks normally undertaken by public bodies are required to appoint a DPO. Private organisations that meet specific criteria must also appoint a DPO. The criteria is that the core activities of the business involve monitoring individuals on a large scale or processing sensitive personal data on a large scale.
At the very least organisations should undertake an assessment of their data processing activities and make a decision as to whether or not a designated DPO is required. This process needs to be documented, setting out the reasons supporting the decision. As a practical point, take special care if there is already a designated DPO, ensure that any decision to declassify that role is fully supported. Also, in cases where the organisation decides that it is helpful to identify a central contact for data protection matters, externally or internally, on a voluntary basis, ensure that the role is given another title. Use of the designation “DPO” brings the full weight of the GDPR around the role and responsibilities into effect.
Subject rights and IT changes
Most of the IT changes that will be required to comply with GDPR stem from the new and updated subject rights. Therefore this is an area that requires immediate action, brief the IT support team, they will need time to introduce the necessary system changes.
Right of subject access
As with the right of subject access under the Data Protection Act 1998, the controller will be required to provide a copy of the personal data undergoing processing. A big difference under GDPR is that where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
Organisations that currently respond to subject access with physical paper copies of personal data will need to be prepared to pdf the output to meet this requirement at least. Ideally start investigating electronic solutions now, for example a pdf editor so that redaction can be undertaken easily and pdf copies sent to the subject electronically. Bear in mind that personal data should not be sent via email since email is not a secure communication technology unless additional tools are used to encrypt and decrypt the data. GDPR encourages organisations “to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data”. As a practical point, see how Google are already responding to this challenge in “My Account”.
Right to be forgotten and right to restrict processing
This is one of the new subject rights. The data subject shall have the right to erasure of personal data relating to him or her without undue delay on specific grounds including where the personal data are no longer necessary in relation to the purposes for which they were collected or where the data subject has legitimate grounds to withdraw consent to the processing.
The right to restrict processing is also triggered by the data subject in specific circumstances requiring the controller to retain records containing personal data. Where processing has been restricted it shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise of defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. This right applies in specific circumstances but data portability means giving the data subject the right to have the personal data transmitted directly from one controller to another, where technically feasible. Again, an IT solution will be required. At present XML and JSON are the most commonly used machine readable formats and it is suggested that any new developments should really only focus on those.
Right to object and automated individual decision-making
There is a new general objection to processing. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is either
• performed as a task carried out in the public interest or in the exercise of official authority vested in the controller or
• a task carried out in the legitimate interests of the controller which not overridden by the rights or interests of subjects.
In the case of an objection, the organisation will need to demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or establish a claim that the processing is in order to establish, exercise or defend legal claims otherwise it will no longer be able to process the data.
GDPR represents a massive shift in how we approach data protection compliance with accountability being the key. There are areas where new requirements or higher standards will apply and some of those require work to be done immediately if organisations are to be compliant by May 2018. However we should not overlook the fact that some basic data protection principles remain unchanged and activity to ensure compliance with GDPR should build on compliance with current data protection requirements. A good starting point would be to conduct an audit to determine the state of current compliance at the same time as starting some of the compliance projects.
We have highlighted the areas that firms need immediate attention. There are other areas that will require attention nearer to the May 2018 deadline. The suggested actions in this article provide some of the groundwork for compliance with increased information requirements, changes to processes around subject rights and new procedures. All of these areas will require training, taking action now will give organisations the lead time they will need if they are to meet the May 2018 deadline.
The fines for breach of provisions of the Regulation are significant, up to 20 million euros or 4% of annual, global turnover. The Regulation also gives data subjects the right to take court action against a controller and to claim compensation either alone or jointly with others. Don’t let your organisation be a test case.