Pi Magazine – GDPR – What you must do now?
8th December 2017
The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018. It is a hugely important change in privacy legislation, covering both data controllers and data processors, supplanting national legislation in EU countries and of course applying to all processing of the data relating to data subjects residing in the EU even if the organisation processing the data is not in the EU. Essentially it protects the rights of EU citizens as “digital citizens” on a worldwide basis no matter where their data is processed; in effect, this makes it the first global data protection law.
Organisations collect, hold and process a lot of personal data – under GDPR this includes anything by which a data subject can be identified directly or indirectly. It covers a wide range of personal data, including for example: biometrics; criminal convictions, offences; education and training; employment details; financial details; health information; images, voice recordings; personal details, contact, profiling or ID; technical data such as IP addresses, mobile device IDs. It covers a wide range of data subjects, including for example: children, complainants, consumers, contractors, customers, enquirers, funders, marketing prospects, staff, suppliers, visitors.
This personal data is spread across paper and other physical records, electronic files and data in line of business applications. It is typically held in across numerous stores, including in-house filing and systems as well as cloud solutions, off-site archives and with third party processors.
Infringements can potentially result in fines up to €20M or 4% of the company’s global annual revenue; also any person who has suffered damage as a result of infringement of the GDPR has the right to receive compensation.
The clock is ticking and this article identifies some of the key areas where you can take action to move towards compliance.
Auditing personal data
It is essential to identify understand the personal data you hold and utilise. You can undertake an audit of physical and digital data to identify a range of characteristics, including for example:
- Ownership and location
- Categories of data subjects
- Categories and sources of personal data
- Purposes of processing (from both a legal and business perspective)
- Who personal data is shared with, how and why
- Time limits for erasure
- Protective measures in place
The information gathered during the audit will enable you to take a number of subsequent actions, including:
- Creating and maintaining GDPR Article 30 Records of Processing Activities (if applicable to your organisation)
- Update Consent Forms / Privacy Notices with compliant information
- Respond to Data Subject requests and rights (for example to access, rectification, erasure, restriction of processing, data portability, to object, and not to be subject to automated decision-making including profiling) by knowing what is held where and how
- Ensure data protection by design and default are embedded, with Data Protection Impact Assessments undertaken, in processes and systems where required under the GDPR
- Update or put in place Contracts / Sharing Agreements between data controllers and processors
- Put suitable protective measures in place to ensure the confidentiality, integrity, availability and resilience of personal data
- Ensure comprehensive retention policies and disposal processes are in place
Implementing data protection governance
An organisation must review its governance for information and data – covering roles and responsibilities, policies and procedures – to ensure they take account of the GDPR in a consistent manner. Examples include:
- You should designate someone to take responsibility for data protection compliance and consider whether you are required to formally designate a Data Protection Officer (DPO) under the GDPR
- If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority
- Have a Data Protection Policy in place
- Establish compliant Data Sharing Agreements / Contract Clauses with data processors
- Establish a Privacy Impact Assessment Process
- Review your Privacy Notices and Consent Forms
- Establish procedures for handling Data Subject Rights Requests
- Establish a Data Breach Reporting Procedure
- Review or create an Information Security Policy
- Review or create a Records Management Policy, including updating (or creating) your Records Retention Schedule to ensure policies exist for how long you keep all types of personal data
- Ensure your Business Continuity protocols cover all types of personal data
- Review or create an Acceptable Computer Use
- Review or create a Bring Your Own Device Policy
- Review or create an Email Policy
- Review or create a Clear Desk Policy
Ensuring suitable business services are in place
There are a number of business services that can be in place, for both physical and digital records, to ensure that they are handled in a secure, accessible and compliant manner throughout their lifecycle. These include:
- Secure archive storage for physical records containing personal data
- Secure logistics of collection of personal from a branch network for longer-term storage, digitisation or disposal
- Having an inventory system of physical records storage, aligned to corporate records retention policies
- Secure document destruction services
- Document scanning services to digitally facilitate data subject access requests to information about them
- Secure encrypted digital document storage