September 25th marked four months since the General Data Protection Regulation (GDPR) - the biggest overhaul of data protection law in a decade - came into effect. There was a lot of fervour amongst businesses in the run-up to the big day to make sure they were compliant. There was also a lot of misinformation, which led some to believe that GDPR would be a far more seismic change than it has proved to be so far.
Now that the dust has settled, it is a good time to review your GDPR position and ensure that you are compliant with the requirements. You may have taken advice, or conducted an audit, but have you followed through on the findings and recommendations? You may have checked your personal data is well-protected but do you have processes in place to deal with subject access requests?
Regardless of your level of preparation for 25 May 2018, it is important to conduct regular internal reviews of your compliance. So, here is our 10-point checklist of the key GDPR requirements:
A data protection policy is an important document for any business. It should set out the types of data you process, how you keep it secure, how it is to be accessed and used, when and how it is archived or deleted, and how you deal with any requests or complaints relating to the personal data you hold.
You may have one all-powerful policy document or you may have a variety of different policies for different areas of the business or different processes. Either way, it is important that your policy is accurate and up-to-date. An off-the-shelf policy, or one which has been sat in a folder gathering real or digital dust for months or years, just isn’t good enough under GDPR. Which leads us to the next point...
2. Policy implementation
Once you have a policy, it is just as important to implement and enforce it across your business. A policy is no good, and will not provide any protection, if it gets filed away and no-one knows about it. You should implement the policy fully, for example by making your employees aware of it, asking them to review and accept it on induction, and providing staff training on it.
You should also enforce it from the top-down by monitoring employee practices and taking action if you become aware of anything that does not comply with the policy. Enforcement may include refresher training, adjustments to processes, and even disciplinary action if employees are repeatedly flouting their obligations.
3. Technical and organisational measures
You hear of having “appropriate technical and organisational measures” quite a lot in data protection. Essentially, it means that you have processes, standards, and systems in place to put your data protection policy into practice and to protect the personal data you hold in accordance with the law.
The measures you have in place will depend on a variety of factors including the sensitivity of the data, what you do with it, and the size of your business. However, whatever they are, they should be monitored, reviewed and tested to ensure they are fit for purpose and they should be used and implemented by your employees. You should also keep a record of your technical and organisational measures (e.g. back-up practices, IT security measures, physical office security, IT acceptable use policy, staff access requirements) in case you need to provide details of these to your customers or the Information Commissioner’s Office.
4. Employee & other personnel confidentiality
As well as having appropriate internal mechanisms in place, you should ensure that any individuals with access to personal data (including your employees, any contractors or agents you use, and other suppliers) are bound by a duty of confidentiality. This will typically be enforced by a confidentiality clause in their contract of employment or services contract.
5. Understanding your data flows
Any business that relies on personal data should understand exactly what data is flowing in and out. A data audit is a good internal practice and essentially involves documenting each business process involving the use of personal data and recording the source of that data, how it is transferred in, how it is stored and used, and how it is transferred out (if applicable). Data flows should be reviewed at a regular interval (e.g. annually) or when a new process is introduced to ensure it continues to reflect how you receive and use personal data.
6. Data protection impact assessments
Once you have an understanding of your data flows, you should to assess why you process the data in the manner that you do and on what lawful basis. One good way to do this - and one which is required by GDPR in the case of large-scale, high-risk processing - is to conduct a data protection impact assessment. This involves a review of the processing conducted and on what lawful ground (e.g. legitimate interests, consent etc.), the risks it poses to individual data subject rights, and how any of those risks might be mitigated.
Impact assessments should be conducted for new data processing flows and should be reviewed periodically.
7. Privacy / Transparency information
As well as a good internal record of your processing activities, you need to comply with privacy and transparency requirements in the GDPR.
Articles 13 and 14 of the regulations require that certain information is given to a data subject whose personal data you process, when you collect or first use their personal data. This information may be provided in a number of ways but the most common is via a privacy or transparency notice, made available at point of collection or when communicating with the data subject.
8. Using data processors
If you use data processors - any third parties that process personal data on your behalf - you need to comply with specific GDPR provisions. All data processors must be bound by contractual processing obligations that meet the minimum requirements set out in Article 28 of the GDPR and you should ensure that that your processors comply with their contractual obligations (e.g. by vetting, conducting due diligence, requesting records).
Data processors now have direct statutory obligations under GDPR, which did not exist under the previous law, but as the data controller you are still ultimately responsible for the personal data being processed.
It is also important to maintain a record of your data processors and consider whether you need to give details of your processors to data subjects, for example in the privacy information referred to above.
9. Acting as a data processor
If you act as a data processor for other data controllers, you should expect to be asked to enter into GDPR processing clauses (referred to above). There are no prescribed or model processing clauses, so it is up to you and the data controller to agree the contractual obligations.
If you’re asked to sign processing clauses by a customer, you should review them and check that they are appropriate. Some data controllers may try to impose obligations which exceed those required by the GDPR and/or seek to transfer risk and liability to you as the processor. You should be wary of such attempts to protect your business from excessive risk.
As a data processor, you will need to comply with certain obligations to your data controllers, including to maintain certain records, assist the data controller with data subject rights, and permit audits and reviews. You will need to ensure you have processes in place to comply with these if enforced by the data controller.
If you use sub-processors, you will also need to flow-down your data processing obligations to those sub-processors and enforce those obligations as you would if you were the data controller.
10. Responsible people & keeping records
If everything else is in order, it is important to ensure you have the appropriate responsible people in place to monitor and manage your data protection policies and practices and GDPR compliance.
If your business falls within the parameters for which the GDPR requires a Data Protection Officer (DPO), you should have an appropriate professional in place (either employed or outsourced). Even if not required to do so, you may choose to appoint a DPO. If you choose to do so voluntarily, you are obliged to comply with all GDPR requirements relating to a DPO appointment.
If you don’t need or want a DPO, you will still need a clear understanding of who is responsible for the various elements of data protection and GDPR compliance. The easiest way to achieve this is via a management chart, showing the various levels of responsibility.
You will also want to keep full and accurate records of your compliance. Article 30 of the GDPR sets out specific record-keeping requirements. Smaller businesses (less than 250 employees) are exempt from those requirements, unless engaged in high volume or high risk data processing, but any business engaged in data processing would be well-advised to keep good records of its data protection compliance.
This not only assists with internal management, training, and external queries, reviews, and audits but also provides a shield against potential complaints and investigations. Well-equipped is well prepared.
If you have any questions regarding the contents of this note, or would like further advice or assistance with your GDPR compliance, please contact us on 0117 928 1910 or email firstname.lastname@example.org.