We are now only a few weeks away from the biggest change to data protection laws in over 20 years.  The new General Data Protection Regulation (“GDPR”) will apply from 25 May 2018 and introduces some significant changes to data protection compliance. 

Many organisations have been preparing for the GDPR for some time now, but we recognise that not everyone will be completely ready.  If you have been following the myth-busting blogs from the Information Commissioner’s Office (“ICO”) then you may have seen the one from December 2017. One of the key messages being that GDPR compliance will be an ongoing journey in the weeks, months and years beyond May 2018.  That said, the ICO states there will not be a ‘grace’ period as there has been a two year lead-in time to prepare and so they will be regulating from 25 May 2018.  It is therefore essential that you can demonstrate you have the key building blocks in place to achieve compliance within your organisation.

We have compiled a checklist comprising several key questions and action points to act as a GDPR readiness sense check.

Are you aware of the personal data you hold?

You are required to document your data processing activities under GDPR. Amongst other things, your records must contain information on the personal data you hold, where it came from and who you share it with, including your purposes and legal basis for processing.

ACTIONS:

  • You can do this by undertaking an information audit or data-mapping exercise.
  • Keep a centrally maintained repository of your data processing activities to assist you in demonstrating compliance with the new ‘accountability’ principle.
  • Read the ICO's more detailed guidance about how you can document your processing activities under GDPR.

Have you reviewed and updated your privacy notices?

Under GDPR there are additional things that you will need to tell people when you collect their personal data, for example, the legal basis for processing, information about people’s rights and retention periods. You also need to ensure that the information is clearly written, understandable and easily accessible (particularly if addressed to a child).

ACTIONS:

  • Ensure your privacy notice includes the more detailed list of information and is written using clear language.
  • Read the ICO's helpful summary of the privacy information you have to include in your privacy notices under GDPR.
  • Consider how you will communicate the information in a user-friendly way.

Do your consent mechanisms meet the new GDPR standard?

The GDPR introduces a new and stricter definition of consent. It must be freely given, specific, informed unambiguous, on a positive opt-in basis, properly documented and capable of being easily withdrawn.

ACTIONS:

  • If you rely on consent as a legal basis for processing then you will need to change the way you seek, record and manage consent or consider an alternative legal basis for processing.
  • Check your existing consents and refresh them if they do not meet the GDPR 'standard'.
  • Do not use pre-ticked boxes or any other default method of obtaining consent.

Are you prepared for compliance with the new data subjects' rights? 

On the whole, the rights that individuals will enjoy under the GDPR are the same but with some significant enhancements e.g. the new right to be forgotten and the right to data portability.

ACTIONS:

  • Review and update your procedures for dealing with individual rights.
  • Ensure new and existing systems (HR, IT etc.) are capable of facilitating the rights (e.g. can data be located and deleted on request) and that staff are aware of how to respond.

Have you updated your subject access procedure?

The GDPR revises the rules for dealing with subject access requests and introduces some new elements.  In particular, you will no longer be able to charge a fee; you must deal with requests within a reduced timescale (one month), and you must include certain information in your subject access response e.g. tell people they have the right to complain and explain your lawful basis for processing.

ACTIONS:

  • Ensure your procedures reflect the changes and staff are aware of them and know how to respond.
  • You may need to think about resources if you receive a large volume of requests.
  • Prepare template responses to assist staff when dealing with requests.

Do you have a breach management plan in place?

Under GDPR, data breaches will have to be reported to the ICO without delay and, where feasible, within 72 hours, unless it is unlikely to result in a risk to the rights and freedoms of individuals. 

The examples of notifiable breaches provided by the ICO include breaches that may result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.  If high risk, then breaches will also need to be reported to the individuals concerned without undue delay.

ACTIONS:

  • Implement procedures to detect, report (internally), and investigate any actual or potential personal data breach within a 24-hour timescale.
  • Ensure staff are aware of your incident reporting process.
  • Consider who to report breaches to internally and the merit of designating specific people or a core team for investigating and evaluating security incidents.
  • Establish an escalation matrix to assist you in distinguishing reportable data breaches.

Have you identified and documented your lawful basis for processing? 

This is a specific legal requirement under GDPR and it links to the accountability requirements and other aspects of GDPR e.g. you have to explain your legal basis for processing in your privacy notice and when your answer subject access requests.

ACTIONS:

  • Document this information in conjunction with undertaking your information audit or data mapping exercise.
  • Read the ICO's recently updated lawful basis pages, which include an interactive guidance tool that you may find helpful in identifying your lawful basis.

Have you reviewed and started to update your supplier contracts? 

Where suppliers (as processors) are processing ‘personal data’ on your behalf (as the controller) then you will need to update your contracts to include a number of mandatory clauses under GDPR.

ACTIONS:

  • Establish a programme to review and update all existing contracts with processors to include the new clauses, and ensure they are added to any new contracts from 25 May 2018.
  • If you have a large volume of contracts to review, triage the contracts according to the type and volume of data being processed, for example, deal with those contracts that include high-risk processing first.

Are you able to demonstrate compliance with the new 'accountability' principle? 

You will need to demonstrate your compliance with the GDPR by putting in place data protection measures that set out your approach to data governance.

ACTIONS:

  • Implement appropriate technical and organisational measures, such as data protection policies and procedures, technical security and staff training.
  • Undertaking the steps set out in this checklist will also help you towards demonstrating compliance with the GDPR.

Have you established new corporate processes? 

Under GDPR it is mandatory to undertake Data Protection Impact Assessment (‘DPIA’) in certain circumstances particularly where high-risk processing is involved.

ACTIONS:

  • Determine when your business may be required to undertake a DPIA and establish a process for conducting them.
  • Familiarise yourself with the ICO’s more detailed guidance on DPIA’s. This is currently in draft form but expected to be published in final form soon, and includes a sample DPIA template. 

Do you need to appoint a Data Protection Officer (DPO)? 

This is a new mandatory role under GDPR. A DPO must be appointed in certain circumstances i.e. where your organisation is a public authority or public body or where your core activities involve ‘large scale’ monitoring or processing of special categories of personal data.

ACTIONS:

  • Determine if you need to appoint a DPO and where this role will fit in your organisational structure.
  • If unsure, seek legal advice.
  • Be aware that the DPO must be appointed on the basis of specialist knowledge and expertise of data protection, and have the support and resources to undertake the role autonomously.

Have you had a look at the ICO's new charging structure? 

The requirement to register with the ICO (‘Notification’) will fall away under the GDPR, but a new fees structure will be introduced. 

ACTIONS:

  • Read the ICO's guide to the new data protection fee structure to determine what you will need to pay from 25 May 2018. The structure is yet to be approved by Parliament before it is finally confirmed, so keep an eye on the ICO's monthly updates.

How we can help

We have produced various GDPR compliant documents, which can be purchased on a fixed-fee basis such as:

  • GDPR compliant template privacy notice
  • GDPR compliant processor clauses
  • GDPR compliant data protection policy
For more information

For further information or any queries relating to GDPR, please get in touch with Peter Coe.