GDPR – First steps..
• Inform decision-makers on the impact of the GDPR and get consensus on importance and approach.
o It is vital that the whole organisation understands the implications of the new regulation.
• Conduct a data mapping exercise to fully understand your personal data use and processing. Ask the following questions:
o Where is personal data stored?
o How secure is it?
o Who has control?
o Is it shared?
o Do you hold data of non-UK EU residents?
o Is data transferred across borders or outside the EEA?
• Who is accountable for data streams within the organisation? This can be used to create a template for maintaining internal records of data processing required under the GDPR.
• Understand the legal grounds on which you currently collect and use data.
o In particular examine how consent and legitimate interests are used as the basis for processing personal data and document these.
• Review your IT systems and procedures
o See if IT systems and organisational processes can cope technically with new individual rights in timely manner. Consider;-
Subject Access Requests, Data Portability, Right to be forgotten, records of the giving and withdrawing consent.
• Review staffing requirements for data protection compliance.
o Staff will possibly need a review of their contracts and also training. All need to be recorded.
• Consider appointing a Data Protection Officer (DPO), mandatory for some organisations but useful for all.
o What is a DPO role? The DPO should understand your business so they can assess key areas of privacy risks; DPO is required to act independently and report to the highest level of management so think about where the role will fit within the organisational structure but note that this position can be outsourced to a competent firm or individual which may be an option that smaller organisations may wish to consider.
• Focus on certified accountability of the organisation for data privacy.
o Build a comprehensive privacy compliance programme and structure. Review current standards that may be in place already such as ISO27001, IASME, Cyber Essentials.
• Prioritise compliance activity and remedial measures on areas with highest risk and most significant impact.
o Priority areas will include understanding legal basis for processing and the new more specific requirements on consent; Processing of sensitive personal data; compatibility of systems with new rights such as data portability, shorter time frames for subject access requests.
• Conduct Data Protection Impact Assessments (DPIA) for new activities.
This includes identifying the need for a DPIA, describing the information flows and understanding where your data subjects are located. Identify any privacy risks and then identify and evaluate the privacy solutions. You can then sign off and record the privacy assessment outcomes and integrate the outcomes into any project plan.
o Controllers will be required to perform a DPIA where the processing of personal data (particularly when using new technologies) is likely to result in a high risk to the rights and freedoms of individuals. DPIAs will particularly be required in cases of (i) an evaluation of personal aspects based on automated data processing including profiling, (ii) processing on a large scale of special categories of data, or (iii) systematic monitoring of a publicly accessible area.
• Review and strengthen technical and security measures specifically use of encryption techniques.
• Prepare for data breach notifications.
o Establish process for notification to Information Commissioner’s Office (ICO) within 72 hours of the breach.
• Set up internal procedures/strategy for data breach identification.
o Establish process for notification to affected individuals; Explore what “risk” to individuals means; Build in effective ways of detecting breaches.
• Integrate privacy by design and default, collect the minimum amount of information and consider privacy from inception of the product, service or project.
• Review and update privacy policies and notices
o Improve the transparency and legibility of all public facing documents.
• Special consideration should be given to privacy policies.
o Review and audit commissioning supply chain and update contracts
o Review and revise legacy contracts to consider mandatory terms; negotiate on apportionment of liability.
We understand that this is a lot to take on all at once so here is a mind map we created on our own GDPR journey here at NSN – we hope you find it helpful. For more information or guidance on your GDPR journey please contact me directly.