GDPR: your guide to compliance
There is a wealth of information that has been produced about the General Data Protection Regulation (GDPR) and the changes that organisations should have made as a result of it. It can be difficult to know where to start if you are one of the many organisations that hasn’t yet addressed the issue of GDPR compliance. This guide is designed to give you an overview of some of the key points you should be considering and the steps you should be taking to ensure compliance with the new data protection regime.
What’s the background to GDPR?
Rapid technological developments and globalisation have brought new challenges for the protection of personal data and the scale of the collection and sharing of personal data has increased significantly since the previous data protection legislation came into force. In April 2016, the European Union paved the way for a single European Digital Market by adopting major data protection reforms. The new Regulation, the GDPR, came into effect on 25 May 2018 and replaced all national data protection laws across Europe. In the UK it has meant that the Data Protection Act 1998 has been repealed, and replaced by the Data Protection Act 2018.
By way of background it is useful to cover some of the definitions used in the GDPR, so we’ve created a jargon buster to explain what the terms mean in plain English.
Data protection principles
GDPR sets out a number of data protection principles relating to the processing of personal data and which require compliance from you. The data protection principles are as follows (emphasis added in bold):
- Data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
- Data must be collected only for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes; further processing for archiving purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
- Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay. In order to ensure that the personal data is not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
- Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. You will need to put procedures in place to delete data which is no longer required to fulfil the purposes for which it was originally collected.
- Data must be processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures;
- The Data Controller shall be responsible for, and be able to demonstrate compliance with, the above principles; this is known as the accountability principle.
Road to compliance
Many of GDPR’s main concepts and principles are much the same as those in the previous Data Protection Act 1998. However, there are new elements and significant enhancements which you need to be aware of, so even if you were compliant under the old regime, you will still have to do some things for the first time and some things differently.
The Information Commissioner’s Office (ICO) has produced, and will continue to produce, resources and guidance to help organisations comply with the GDPR and the Data Protection Act 2018. The Article 29 Working Party also continues to produce guidance at the European level. We suggest that you keep an eye on this in order to assist with your compliance journey.
Compliance will not happen overnight and will likely take longer than you anticipate. The GDPR affects all areas of an organisation and implementation of the required changes will require input from a number of different people and departments. It is therefore essential to plan your approach to GDPR compliance and to gain ‘buy in’ from key people in your organisation.
Set out below are some key steps that you should be looking to take in order to start your road to compliance.
Without awareness no change can happen, so you should make sure that decision makers and key people in your organisation are aware that data protection law has changed, as they are the ones who need to consider and identify areas that could cause compliance problems under the GDPR. This includes being aware of the changes from an employer / employee perspective, and putting in place adequate training for employees to enable them to comply with the changes. It is your employees who often pose the greatest risk of a data breach.
It is important that someone in your organisation takes responsibility for data protection compliance and has the relevant knowledge and support to undertake such a role. Some organisations need to formally appoint a Data Protection Officer (DPO). A mandatory DPO is only required if you are:
- a public authority (except for courts acting in their judicial capacity)
- an organisation that carries out the regular and systematic monitoring of individuals on a large scale, or
- an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.
Even if you aren’t required to, you can appoint a DPO if you wish. However, if you decide to voluntarily appoint a DPO, you should be aware that the same requirements of the position and tasks apply had the appointment been mandatory. If you decide that you don’t need to appoint a DPO it is good practice to record this decision to help demonstrate compliance with the accountability principle.
If you do not need a mandatory DPO you should still allocate responsibility for data protection in order to ensure that compliance does not fall through the gaps and there is a clear structure in terms of reporting requirements.
Map information sources and with whom you share it
Before you can think about steps to compliance, you need to have a full understanding of the ways in which personal data flow through your organisation. You should audit and document what personal data you hold, why you hold it, where it comes from, who you share it with, how long you hold it and how you secure it.
Personal data can be held in a number of places and it is important that all of these are taken into account. This includes your online databases, laptops, phones and hard copy documents.
Until you have carried out this exercise it will be very difficult to assess what policies and documents you require. Once you are aware of what data you hold, you can then assess how best to deal with it.
Under the GDPR, personal data must only be stored if it is accurate, kept up-to-date and not held for longer than is required. If you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy of it so it can correct its own records. A key aspect to compliance will be having an appropriate retention policy in place, which clearly sets out how long you store each type of data that you hold and when it will be permanently deleted.
Identify the lawful basis for processing personal data
The first principle under the GDPR is that data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Organisations often assume that they now need to obtain the consent of data subjects to process their personal data. However, consent is just one of a number of different ways of legitimising processing activity and may not always be the best (as, for example, it can be withdrawn). The most common lawful bases for processing under the GDPR are:
- The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to enter into a contract.
- The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes, or
- The processing is necessary for compliance with a legal obligation to which the controller is subject.
You should review the types of processing activities you carry out and identify your lawful basis for doing so. Importantly you should document your lawful bases in order to help you comply with the GDPR’s ‘accountability’ requirements.
If you need to rely on consent as the lawful basis for processing personal data, you must ensure that it meets the standard required under the GDPR. Consent must be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the individual’s agreement to their personal data being processed, such as by a written (including electronic) or verbal statement. For consent to be informed, the data subject needs to be aware of what they are consenting to, i.e the identity of the controller, what information is going to be processed and the purposes of the processing. The main change is that consent can no longer be implied – there must be a positive opt-in, so consent cannot be inferred from silence, pre-ticket boxes or inactivity.
Consent must also be revocable (e.g. people must be able to withdraw their consent) and you should have procedures in place to action and record it when this happens. However, giving people control and choice over how their personal data will be processed will not be applicable in all situations, for example in an employer / employee relationship.
Consent to process personal data must be distinguishable where placed within wider consent declarations. Therefore, there is a risk that if you have previously obtained consent for generic purposes (without outlining the specific ways in which you intend to use the data), this will now be invalid under the GDPR.
If you are relying on consent to process personal data you should review how you collect, record and manage consent and whether you need to make any changes to your current mechanisms. If the consents you currently hold do not meet the GDPR standard then you will need to refresh these. It is important that you review the systems you have in place for recording consent to ensure you have an effective audit trail.
Review privacy policies
When you collect personal data you have to give people certain information, such as your identity and how you intend to use their information and this is usually done through a privacy notice. Under the GDPR there are some additional things you now have to tell people. For example, you need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they have a problem with the way you handle their personal data. The GDPR requires the information to be provided in concise, easy to understand and clear language.
- the Data Controller’s identity
- what personal data is being collected
- how personal data is being collected
- why personal data is being collected
- when personal data is shared
- when personal data is transferred outside of the EEA
- what rights and choices individuals have in relation to their personal data
- how long personal data is kept
Rights of individuals
One of the main objectives of the GDPR is to bolster the rights of individuals and this is reflected in the strengthened rights of data subjects under the new legislation. Such rights include the following:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object, and
- the right not to be subject to automated decision-making, including profiling.
You should check your procedures and establish how you would react if an individual asks to have their personal data deleted. Do your systems help you to locate and delete data, bearing in mind that all data no matter the format in which it is held would need to be permanently erased (subject to certain exceptions)? Who makes the decisions about deletion?
The right to data portability is new. It only applies:
- to personal data an individual has provided to a controller
- where the processing is based on the individual’s consent or the performance of a contract, and
- where processing is carried out by automated means.
This means that if an individual requests it, you may be required to transmit the data that you hold directly to another organisation if this is technically feasible. You should therefore consider whether you need to revise your procedures and make any necessary changes to enable you to provide the personal data free of charge in a structured, commonly used and machine readable form.
Subject Access Requests
Following on from the above, you should review your processes and procedures in respect of subject access requests as there have been some changes.
If you receive a subject access request from an individual or employee you must reply within one month from the date of receipt of the request and you will not be able to charge for complying with the request unless it is “manifestly unfounded or excessive”. Do you have an appropriate internal procedure for dealing with subject access requests and ensuring that the tighter timescale can be met?
If the data subject makes the subject access request by electronic means, and unless otherwise requested by the data subject, the controller must provide the information in a commonly used electronic form. You should review your systems to establish whether all the information you hold could be provided in an electronic format.
Please note, you will need to take care when processing subject access requests which may contain information which reveals personal data about another third party. We recommend you seek legal advice if you receive a subject access request.
In order to comply with the GDPR, you must take appropriate security measures to guard against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data. You should review and/or put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction. This can include measures such as encryption and appropriate cyber security measures, together with reviewing the security of your office environment.
As the data controller you are ultimately responsible for the data that you hold. Therefore if you use an external data processor (e.g an IT firm) you must ensure that they can guarantee compliance with the GDPR.
You should also consider whether you have appropriate policies in place regarding the use of laptops and phones. Such items can be easily lost and if data has been downloaded onto such devices this can result in a serious data breach.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach. You should revise / develop your data breach response plan to ensure breaches are reported and escalated without delay and are dealt with appropriately to minimise damage. One way of dealing with this could be to assign responsibility for reporting to specific individuals. You may also want to run an education piece with your employees to ensure they are aware of the timescales.
Data controllers must report data breaches to:
- the Supervisory Authority, without delay and no later than 72 hours after the breach, unless the breach is unlikely to present a risk to individuals, and
- data subjects, where the breach is likely to pose a high risk to them.
Data processors must notify controllers of data breaches without undue delay.
Whilst this appears burdensome, in some sectors organisations already had an obligation to notify data breaches. Guidelines on the thresholds for notification to the ICO are available on the ICO website, but all organisations should have internal procedures for handling data breaches. You may wish to assess the types of personal data you hold and consider and document where you would be required to notify the ICO or affected individuals if a breach occurred.
Please note, a failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
Data protection by design and Data Protection Impact Assessment (DPIA)
Under the GDPR, data controllers have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities, as seen in the sections above. This approach is referred to as data protection by design and by default.
From the outset of any project you should be adopting internal policies and implementing measures, such as pseudonymisation / data minimisation, to protect individuals’ rights and to help you comply with the data protection principles.
As part of such an approach, the GDPR requires organisations to conduct data protection impact assessments (DPIAs) in specific circumstances. DPIAs are a tool which can help you identify the most effective way to comply with your data protection obligations and meet individuals’ expectations of privacy, allowing you to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur.
Organisations must carry out a DPIA where a type of processing, in particular using new technologies, is likely to result in a high risk to the rights and freedoms of individuals.
Review third party contracts
One of the key changes under the GDPR is that data processors now have direct obligations for the first time. These include an obligation to:
- maintain a written record of processing activities carried out on behalf of each controller
- designate a data protection officer where required
- appoint a representative (when not established in the EU) in certain circumstances, and
- notify the controller on becoming aware of a personal data breach without undue delay.
The GDPR also makes written contracts between controllers and processors a legal requirement, rather than just a way of demonstrating compliance with the seventh data protection principle (appropriate security measures). Such contracts must include certain specific terms, set out in the legislation, designed to ensure that processing carried out by a processor meets all the requirements of the GDPR (not just those related to keeping personal data secure). You should therefore review all of your commercial contracts, in particular those that involve data processing arrangements or data sharing arrangements with third parties, and identify whether any amendments are necessary in order to meet the requirements under the GDPR.
Having a written contract is important so that both parties understand their responsibilities and liabilities. Data controllers should be aware that they are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected.