How to get ready for the GDPR
Last month, we provided an update on General Data Protection Regulation (GDPR). Today, we outline the practical steps you can take ahead of the May 2018 deadline.
Firstly, there is no need to panic. The GDPR should not be a significant change for organisations, due to compliance with current European Union (EU) law and the Data Protection Act 1998 (DPA) in the UK.
However, it does introduce new and enhanced protections for EU citizens and clients need to have a plan ahead of the implementation date in May 2018.
To help you prepare, we have identified 11 steps to take on your journey to compliance.
1. Conduct an information audit
You should identify and record what personal data you hold, its origin and who you share it with.
Most privacy policies explain how you will use personal data but under the GDPR, you will need to state your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO.
3. Map current policies concerning individuals’ rights and address any gaps
You should map your current policies for compliance to the enhanced rights individuals will have under the GDPR and address any gaps. For example:
- How will you delete personal data if a request is made under ‘the right to erasure’?
- How will you rectify personal data if an individual informs you the data you hold is inaccurate or incomplete (‘the right to rectification’)?
- How will you provide data electronically in a universal format if an individual requests access to their personal information under the ‘the right of access’?
4. Assess how you will manage information requests from individuals
You need to determine how you will process requests within the new limit of one month (previously 40 days) and consider the resources required if you process a high number of requests. You will not be able to charge for requests unless they are onerous.
5. Identify the legitimate reason for processing an individuals’ data
6. Review opt-in policies
According to the ICO, consent must be a clear indication of an individuals’ wishes. Under the GDPR, pre-ticked boxes, silence or inactivity (‘soft’ opt-in) will no longer equal consent. This is a major change from the DPA which permits a ‘soft’ opt-in.
Crucially, if you hold personal data which was gained with a ‘soft’ opt-in, you will need to contact individuals to seek a positive opt-in. The ICO defines a positive opt-in as ‘some form of clear affirmative action’. This could be as simple as checking a tick-box.
TeleForm or Process Director can help you achieve a positive opt-in
ePC can help you get ready for the GDPR by designing an electronic or paper based form to achieve a positive opt-in and update the information you currently hold.
A paper from can be designed in TeleForm and made available to your data subjects. This will enable respondents to correct any data you currently hold and crucially, confirm they opt-in to the storing and processing of their personal data.
Alternatively, if you already communicate with your data subjects online, you can ask them to complete an electronic form in Process Director. From the initial notification eMail to receiving a positive opt-in from the data subject, you can complete the entire process in minutes.
7. Establish rules for retention of data
You will need to consider how you will erase personal data when the reason for holding the information is no longer valid.
8. Take steps to verify a data subjects’ age
The GDPR requires you to verify individuals’ ages. If a child is under 16, you will need consent from a person with ‘parental responsibility’.
9. Implement procedures for reporting data breaches
You should confirm you have the necessary safeguards to identify, report and investigate a data breach.
10. Appoint a Data Protection Officer (DPO)
You should appoint a DPO to oversee compliance to the GDPR and data protection generally.
11. Conduct a Data Protection Impact Assessment (DPIA)
According to EU Article 29 Working Party (WP29) guidelines, a DPIA is a process designed to describe the processing, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them).
A DPIA is mandatory when processing is “likely to result in a high risk to the rights and freedoms of natural persons”. The following activities are considered ‘high risk’:
- Evaluation or scoring, including profiling and predicting
- Automated decision-making
- Systematic monitoring of data subjects
- Processing sensitive data
- Processing data on a large scale
- Matching or combining databases
- Processing data about vulnerable data subjects
- Innovative use or applying of technological or organisational solutions
- Data transfer across borders outside the European Union
- When the processing in itself prevents data subjects from exercising a right or using a service or a contract
If the data processing activity meets two or more of the above criteria, you will need to conduct a DPIA.
If you want to know more about the GDPR, please contact us.