GDPR – The Final Steps to Compliance
Apart from the fact that nobody really knows what full General Data Protection Regulation (GDPR) compliance looks like, we should all now be taking the final steps towards getting ready for May 25th.
If you have been following my previous articles and you have completed, or have plans in place to complete, the actions I’ve already mentioned, you are in a good place.
I have just three more points to raise in this my final blog in getting ready for GDPR.
The first of these links back to the whole issue of consent. Make sure that all the places where you currently capture consent are compliant:
- On web forms make sure that boxes are not pre-ticked
- On all forms makes sure that the question is clear – make sure that by ticking the box the customer is giving consent. Ticking a box to withhold consent is not permitted under GDPR
- Make sure that consent to one type of processing is not tied to an unrelated service. For example, “by registering to attend this event you agree to receive e-mails from us with further offers” would not be permitted under GDPR.
The second point is Assessing Future Projects. One key principle of GDPR is that privacy should be designed in. Every new project, every change in the way you do things in your business should have a Privacy Impact Assessment (PIA) included.
This needs to show that you will only hold and process data that is absolutely necessary for the completion of your duties (data minimisation) and that you will limit access to personal data to only those who need it. The Information Commissioner’s Office (ICO) has produced a code of practice for producing PIAs, which is a very good starting point. This code of practice will also be useful as a starting point for producing Legitimate Interest Assessments, as required when using Legitimate Interest as your lawful basis for processing data.
The final thing to consider is something that we hope you will never need. That is to make sure you have a process in place should you need to report an a personal data breach. You need to be able to recognise what constitutes a data breach and know when one has occurred. Once a breach has been identified you must notify the ICO within 72 hours. In addition, if the rights or privacy of individuals are put at risk you must also inform the affected individuals as soon as practicable without undue delay.
So, to wrap up my thoughts on GDPR for the time being:
- GDPR is the biggest review of data protection regulation for 20 years.
- We must have a lawful basis for situations where we store or process personal data.
- We must identify the lawful bases we are relying on in our privacy statements.
- Where we are using consent as our lawful basis there are stricter rules around how that consent is obtained.
- We should map the personal data journeys within our business processes
- We should complete a data audit, getting rid of data we no longer need and defining a retention policy for everything we are keeping.
- We must have in place processes for meeting individuals’ rights (subject access requests, right to erasure, data portability).
- We have greater obligations to ensure the safety the personal data we use in our businesses, including making sure our suppliers (data processors) meet the requirements of GDPR.
- We must have policies in place and make sure our staff are appropriately trained.
- We must notify breaches to the ICO within 72 hours and in some cases we must also notify any individuals impacted.
- We should already be registered with the ICO – you aren’t do so now!
Ian Roberts is the director of Steadcross Solutions Limited, which offers various business development and consultancy services under the Steadcross brand.
The information in this article represents a summary of our view of GDPR and is not intended as detailed guidance or advice. If you have questions about how GDPR affects your business please speak to your own legal advisers.