The countdown to GDPR is on. Tipped as one of the biggest challenges of 2018, there are certain compliances you should be ticking off your list for 25 May 2018.
Coined by the EU, the General Data Protection Regulation introduces important changes to the way companies collect and use data under the current Data Protection Act (DPA). To help you prepare, we’ve pulled together a list of important things you should be doing before the big day.
Many of GDPR’s principles are similar to those in the DPA, so if you’re adhering to the current law, you’re off to a good start. However, there are differences between the two that cannot be ignored.
It’s vital to get started on putting new procedures in place so you’re compliant in time, especially if you work in a large organisation with several key stakeholders. With a greater emphasis on accountability, make sure everyone is aware of GDPR and the consequences of it.
Start with the data you’ve got
While it may seem like a daunting task to review your current processes, take it one step at a time. It’s a good idea to start by looking at the personal data you already hold, how you attained it and who you share it with. Establish whether or not you have good reason to keep the data you’ve got; if not, delete it.
Under new GDPR rules, you must keep a record of how you acquire and use data. This means if you’ve shared data with another organisation, you’re responsible for informing them of any changes or inaccuracies. You should take the time to review any contracts you have with data processors to ensure they are compliant.
Keeping track of your data processes will also ensure you have evidence of complying to the principles of GDPR, particularly accountability. This will be especially useful if you are a data processor yourself and need to provide reassurances to data controllers, such as clients.
Review your privacy notices
Next, you should assess how you communicate privacy information. Being transparent about how you use data is a key element of GDPR; in fact, it’s a legal requirement to make certain information available to individuals who submit their personal data. This includes explicitly stating who is collecting the data, what the purpose of it is, how it will be processed, your data retention period, and more. The exact requirements for privacy notices are available via the ICO’s guide.
Understand your consent guidelines
The new GDPR guidelines also emphasise the importance of attaining consent from those you are collecting data from. This means that you must make it clear what you are asking of them and give them the choice of saying no. There will be cases where this is not applicable, for instance when it is the law to provide personal details, but you should always be fair and honest with data providers.
Be sure to read the ICO’s guidance on consent and evaluate your current methods to ensure they are compliant. In short, consent must be explicitly given with an active opt-in from the participant. You can no longer obtain information from pre-checked boxes, for instance. The clearer you can make opting-in, the better. The GDPR also states that consent must be easily withdrawn if an individual no longer wishes to provide their data.
Make sure individuals know their rights
Again, if you have followed the protocols of the DPA in terms of providing rights, then the change to GDPR shouldn’t be too difficult. Individuals must know where they stand when it comes to their personal data and the right to request access, deletion, and more. Read up on the GDPR rights you must uphold and ensure your processes are ready should an individual utilise them.
You should also ensure you’re fit to deal with access requests when they arise. The GDPR has shortened the time in which you have to respond to these, from 40 days to no more than a month, so make sure you have procedures in place to accommodate this turnaround.
You must also supply this information free of charge, but can pose a fee if the request is excessive, unfounded or repetitive. The ICO states you can also refuse a request, but you must give a valid reason and inform the individual that they have the right to complain ‘to the supervisory authority and to a judicial remedy’.
Review your lawful basis for processing data
As the GDPR will grant individuals more rights to their data, you must have a lawful reason for processing it. There are six lawful bases for doing so, which are outlined by the ICO. You should identify the most appropriate one for each process and ensure it is stated in the corresponding privacy notice. You’ll likely already have these place, but the GDPR declares it must be documented to comply with accountability.
Consider children’s data
Unlike the DPA, the GDPR introduces special protection for children’s personal data. Only those aged 13 and above can give their own consent; those under this age must have consent provided for them by a parental figure. Now is the time to consider whether you need to introduce processes to verify an individual’s age on your data capturing.
It’s extremely important to ensure you have documented consent for processing children’s personal information, whether that be from the child themselves or a guardian. If you are corresponding with children, you should also ensure your privacy notice is written in a way they will easily understand.
Use a privacy by design approach
If you don’t already do so, it’s time to start using a privacy by design approach. While this wasn’t a necessity under the DPA, the GDPR makes it a lawful requirement. This means you should view all existing processing activities through the lens of data privacy by default and choose the methods that best uphold this.
You’ll also need to familiarise yourself with how and when to conduct Data Protection Impact Assessments (DPIA). These usually need to take place when data processing is high risk, for instance when processing is likely to considerably impact the individual. If you cannot manage those risks, you must contact the ICO for guidance on whether it complies with GDPR.
Assign a Data Protection Officer
Finally, you should consider designating a Data Protection Officer (DPO) in your company to handle GDPR compliance. In fact, you have to formally assign a DPO in certain situations; if you are a public authority, for example.
Assigning one individual to take responsibility for data compliance in your organisation will help to ensure you are in the best position possible come 25 May 2018.
We’re well on our way to making sure our own data capturing processes are GDPR compliant here at Storm. If you have any further questions about how your business can do the same, feel free to get in touch.