On 25th May 2018 the General Data Protection Regulation (‘GDPR’) comes into force and this will have an impact on the way any company manages data about European citizens. Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You may find compliance difficult if you leave your preparations until the last minute.
One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that do not comply with it. If an organisation does not process an individual’s data in the correct way, it can be fined up to €20 million, or 4% of its annual global turnover, whichever is higher.
That is why we have broken the process down for you in this five-step guide.
1) Access your data
The first rung on the ladder toward GDPR compliance is to access all of your data sources. Through conducting a comprehensive data audit it will help you to identify your company’s current position with regards to GDPR-compliance.
You should carry out an audit of all data sets (structured and unstructured) that are held across the business. Creating new processes and/or augmenting the existing approach will only be possible when you have a complete inventory of all personal data sources being stored across your data landscape.
2) Identify your data
Assessing your records can seem like a herculean task, but it is non-negotiable. Understanding the data that your company holds takes an investment of time and resources, however in order to comply with the GDPR accountability principle the company’s data controller must be able to demonstrate compliance with, all of the requirements of the GDPR (including the principles of: Lawfulness and Transparency; Purpose Limitation; Minimisation; Accuracy; Storage Limitation; Integrity and Confidentiality; Transfers; and Data Subject Rights).
The identification process can be broken down into sub-categories:
- What data does the company hold?
- Why does the company hold the data?
- How and when did the company obtain that data?
- Who is responsible for the data in question?
- What does the company do with the data?
- How does the company keep the data secure?
- Who controls the data (i.e. the data controller or the data processor)?
- How long does your company intend to keep the data and how does it delete the data when it is no longer required?
Conducting a comprehensive data audit will help you to identify your current position with regards to GDPR-compliance.
3) Internal Policies/ Governance
For GDPR compliance, you should review your current privacy rules and put a plan in place for making the necessary changes in time for GDPR implementation. It is also fundamental that any such changes are documented and shared across all lines of the business. This is the way to ensure that personal data can only be accessed by those with proper rights, based on the nature of the data in question.
One of the most talked about issues, especially for those in sales and marketing roles is the GDPR standard for consent. It is no longer an option to simply claim that someone consented to giving you their information based on fine print at the bottom of the website, or with a ‘pre-checked’ consent option on a form. Nor can you obtain consent to use the data for a specified purpose and opt to use it for another purpose. You must also allow people to discover what data you have that pertains to them and where it resides.
It is a pre-requisite standard under the GDPR that all businesses will need to explain the lawful basis for processing the data, the data retention periods and that individuals have the right to complain to the Information Commissioner’s Office (‘ICO’) if there is an allegation raised regarding the handling of their data.
The ICO has published a privacy notice code of practice which reflects the new requirements of the GDPR. It is also advisable to familiarise yourself with the latest guidance from the Article 29 Working Party, this can guide you on how and when to implement any changes in your organisation.
Once the personal data inventory and governance model are established, it is time to set up the correct level of protection for the data. For GDPR compliance, you can use three techniques to protect data:
- Encryption– this translates data into another form so that only people or a system with access to a secret key (formally called a ‘decryption key’) can read it;
- Pseudonymisation– which involves replacing most identifying fields within a data record by one or more artificial identifiers or pseudonyms;
- Anonymisation – anonymous data cannot be re-identified unlike Pseudonymisation which still allows for some form of re-identification (even indirect or remote).
It is imperative that data controllers apply the appropriate technique based on the individual user’s rights, without compromising the growing need for analysis, forecasting, querying and reporting.
5) Continuous Compliance
It is imperative that the steps, as detailed above, are implemented as part of an ongoing regimen in order to receive continual insights that can inform process improvements. Companies evolve over time and maintaining a complete record of where and how data is stored and accessed is essential to continuous compliance. A business must be ever-watchful and certain that best practices are not abandoned with time, and that protected data never passes through systems that have not been carefully secured.
For more information, see the Technology Law and Commercial Law pages. Alternatively contact us by email at firstname.lastname@example.org or by call us on: +44(0)20 3950 3538