With one year to go, it must be time for a GDPR checklist! It is essential to make a start on preparations for compliance with the GDPR as there is lots to do. The list below provides high level tasks that should be in your preparation programme and references the part of the GDPR that applies.
The GDPR is likely to require significant change for many organisations and you will need to do some groundwork.
- Awareness raising is essential at all levels of the organisation. It is particularly important for senior management as they need to understand the scale of both change required and the task in hand, as well as the implications of being non-compliant.
- Identify the personal data that you hold. You should also identify information falling within the Special Categories (Article 9) or data relating to criminal convictions and offences (Article 10). It is important to identify all personal data being processed including that relating to your own staff, customers, suppliers and other third parties.
- Identify each of your specific purposes for processing personal data.
- Keep up to date with information issued by the Information Commissioner (ICO).
Ensuring Your People Are Ready
Your employees will be an essential part of any programme of change.
- Where required, appoint a Data Protection Officer (Article 37).
- Develop and implement a training programme. This will be essential for many aspects of compliance, including implementing appropriate security (Article 32). Training should be commensurate to people’s data protection responsibilities and will be the topic of future blogs.
Making your Business Processes Compliant
You will need to review all processes that relate to personal data.
- Wherever you process personal data, identify the legal basis for processing (Article 6). This will be the topic of our next blog.
- Review your procedures to obtain consent where you are relying on it for the legal basis of processing as they may need to be changed to comply with the GDPR. This will be particularly important where you may be currently assuming consent (permitted by current legislation where it is reasonable to do so) (Article7).
- Amend processes that will not have a legal basis for processing. One example is those in the public sector that currently rely on the legitimate interests condition.
- If you process personal data relating to children, ensure your processes have the specific protection required by the GDPR. This has a number of references including Article 8 and Article 12.
- Ensure your processes for managing business change include procedures for conducting data protection impact assessments and prior consultation (Section 3).
- Develop procedures for reporting data breaches. The GDPR requires that organisations notify both the ICO and data subjects (Articles 33 and 34).
- Develop procedures for demonstrating compliance (accountability) (Article 5). These should include assessment of the effectiveness of technical and organisational measures for ensuring the security of processing (Article 32).
- The GDPR has specific references to profiling. You should check the compliance of any processing using profiling techniques such as marketing and automated decision making.
- Where you transfer, share, or provide data to other organisations, make sure these are documented. You will need this information to comply some of the individual’s rights listed below.
- Ensure the appropriate safeguards are in place for any international transfers.
Ensuring Your Systems are Compliant
System compliance, for many, is likely to be a significant piece of work.
- All processing requires data protection by design and default (Article 25). This will apply to processes as well as systems although it is likely to have the largest impact on systems. This article also requires that the personal data being processed is strictly limited to that which is required for the purpose of processing.
- Begin implementing system change for compliance. Most of us will need to start this now if we are going to be ready for 25 May 2018.
- Even if you don’t operate internationally, check the geographic location of where your data is being processed. You may find it is outside of the EEA and you need to take action to be compliant.
- Consider the requirements for pseudonymisation and encryption, other appropriate security requirements, and the ability to restore data (Article 32).
- Check that your systems have all the necessary functionality to comply with each part of the GDPR, in particular retention and the right to be forgotten.
Producing the Relevant Documentation
Accountability and transparency are key requirements of the GDPR. You should take steps to:
- Develop privacy notices that contain all the necessary information (Articles 13 and 14).
- Develop your records of processing activities, if required (Article 30).
- Review and revise contracts and agreements where required. This will be particularly important where the agreements relate to personal data. It will also be important to review information sharing agreements and data processing agreements.
- Consider which records you are going to use to demonstrate compliance (accountability) (Article 5). You may need to create new audit and assessment procedures.
Managing the Rights of Individuals
The GDPR introduces new and amended rights for data subjects. The first task is to ensure you understand what each of the rights mean in practice. You then need to:
- Review your procedures for processing subject access requests and make sure they comply with the new requirements (Article 15).
- Develop procedures to implement the right of rectification (Article 16).
- Develop procedures to implement the right to be forgotten. In certain circumstances, organisations will need to erase personal data on request. Where the organisation has made that data public, they must also take steps to prevent others from processing that data (Article 17).
- Develop procedures to implement the right to restrict processing (Article 18).
- Individuals will have a right to data portability meaning that they can request that their personal data is transferred to another organisation in a structured, commonly used format (Article 20).
- Implement procedures that will manage an individual’s right to object to processing (Article 21).
Please contact us to discuss how Tkm can help with your preparations.