The aim of this article is to help groups, companies or businesses that gather, process or store personal data of “data subjects” located in the EU start a GDPR To Do List. This list should allow such entities to take the first steps in order to adhere with GDPR. Please remember that this is not intended to be a thorough guide, more a few “rules of thumb” to take into account in order to get underway.
Readying a GDPR To Do List
Even though the impact of the General Data Protection Regulation (GDPR) has been largely on the radar since it was agreed in 2016, it seems that few groups have got together a GDPR To Do List. According to ‘Spice Works’, just 12 months before the implementation date of the 25th May 2018, only 2% of Information Technology professionals questioned throughout the European Union believed that their company or business was properly ready for GDPR. A similar figure applied to IT workers in the USA, and the figure for their UK counterparts was only marginally greater, at 5%. Basically, this statistic is a cause for concern given that correct compliance is a necessity for groups that wish to avoid fines and other fines.
In order to adhere with the GDPR, groups should begin by ensuring that the following steps are implemented:
Learn about GDPR
Most business people possess some knowledge in relation to the GDPR. The clearest thing about the GDPR is that it will replace the Data Protective Directive (DPD). The difference between an EU Regulation and an EU directive means the new law will enhance uniformity about how personal data is controlled across the entire European Union.
Under the GDPR, people will possess greater control over how their personal data is shared. This is applicable to all “data subjects” – usually referred to a person who is within a member state of the European Union at the time their personal day is obtained. Data subjects have the right to know what data is maintained about them, correct incomplete or inaccurate data, and ask for the data is erased (save for a small number of specific circumstances). It is important to remember that companies around the globe will be impacted by GDPR, and not only those based within the EU. Any group that gathers, processes or stores the personal data of data subjects are obliged to adhere with the new regulation.
Firms and companies must ensure their employees are briefed on the GDPR To Do List and a GDPR training course should be given which covers how the directive affects the way organizations deal with data.
Carry out an audit of stored data
Once an organization has put together a GDPR To Do List, it must complete an audit of the personal data that it presently holds. It should remember the following:
- What type of data is stored?
- In what place is the data held?
- Who is responsible for managing the data?
- Why is the data used?
- Is retention of data still required?
- What security measures are active to safeguard the data?
- Can the data be accessed and given to the individual concerned should they make a System Access Request (SAR)?
Perhaps the key thing to take note of is whether or not it is at all necessary to still retain data. The GDPR rules that data should be used only for the purpose it was first obtained for. Should that purpose no longer be relevant, the data should be deleted or terminated, save in circumstances where there is a legally sound reason to hold it. As a general rule, it is worth noting that the less data any particular group holds, the less significant the impact of any data breach or improper use is likely to be.
Pinpoint dangers
Any high risk data or activities should be listed. In order to do so, it is advisable that Data Protection Impact Assessments (DPIAs) be used. As soon as risks have been earmarked, steps to address against them need to be taken. If, on the available evidence, it seems as that mitigation is impossible, the relevant Data Protection Authority (DPA) should be consulted in order to discuss how to best keep and process the data. This type of discussion, is should be noted, is anticipated to be relatively rare. That said, if circumstances arise whereby it appears that no mitigation is possible, an organization is obliged to contact the authority to discuss the issue in order to adhere with GDPR.
Record of all compliance processes
Groups are required to show they are GDPR compliant. For this reason it is vital to properly record each process and procedure. A group found to be non-compliant may be faced with a fine of up to €20 million, or 4% of its annual revenue (whichever is greater). In all probability the DPA will initially concentrate on tackling problems with organizations that are obviously non-compliant, it is still extremely important for every organization to have its own existing processes, procedures and documentation.
Prepare for the danger of data breaches
Once GDPR is active, it will become obligatory for every data breach to be reported to the relevant authority in less than 72 hours. It is for this reason it is vital that each group has its own procedures in place for dealing with data breaches if and when they take place. Aside from failing to adhere with the GDPR, and therefore exposing the group to a costly fine, a lack of contingency plans might also lead to an impacted reputation. This could result in being even more costly in the long term, should it have a significant impact on custom.
Appoint an in-house Data Protection Officer (DPO)
After activation of the GDPR, any business or group that reviews the personal data of individuals (including IP addresses) on a significant scale will be obliged to engage the services of a DPO, in either an internal capacity or by means of an external supplier. This also applies where groups process voluminous amounts of special category data, e.g. genetic data or criminal information. Public bodies which deal with the personal data of people will also need to have a DPO in place.
There is a high chance that, initially, there will be a lack of qualified Data Protection Officers available. That said, there is no clear definition of what qualifications a DPO must hold. What is necessary, however, is that a DPO be fully aware of what the GDPR covers, and its impact upon the company. Additionally, they must be able to initiate and oversee the running of data protection systems and processes. It is feasible for an organization to internally recruit a current staff member as its DPO provided that they possess the skill set required, and have received sufficient training in every part of the GDPR.
Development of reviewing and reporting processes
Once it has ensured that GDPR compliance systems are in place, a group must also create processes of monitoring and performance. This is so that, firstly, each group is capable of checking at any time that its processes are functioning and completely GDPR compliant. And, secondly, because every group must be able to demonstrate it is compliant in the event that it be audited by the relevant Data Protection Authority. A group can show it is compliant only if everything it does concerning data management and protection is accurately documented. Furthermore, it will need to be able to show that a functional checking regime is active.
The importance of being ready
As remarked above DPAs will be able to impose a range of fines for non-compliance with the GDPR. The exact amount of the various fines, aside from the maximum in each category, remains undefined. It appears that DPAs will have some flexibility when it comes to making decisions in this regard. The imposition of other sanctions will also be subject to a certain amount of leeway. What those other available sanctions will be has not yet been stated.
Despite the fact that DPAs will possess some leeway in their imposition of sanctions and penalties, it is expected that they will discuss these questions with each other so that a level of uniformity is achieved.
Step one for any group should be to make itself aware of the scope of the GDPR. A large number of entities that operate worldwide appear to think GDPR does not affect them in any way. If, however, they have any role in the processing of data collected from people located within the European Union, they might be in for quite a surprise. This does not only apply to data that has been received straight from the subject; it could also apply to data received from a third party. Getting fully advised in relation to GDPR, and the group’s obligations under the regulation, should be the organization’s first item on its GDPR To Do List.
After that first item has been marked off the GDPR To Do List, it is then a matter of assessing present data and practices, and ensuring that any data being held is being done so in compliance with the GDPR. Groups must also enact processes and procedures in order to see to it that continuing data collection and management is GDPR compliant. The management of data must also be reviewed. Dangers must be identified and addressed. While organizations should do everything within their capabilities to guarantee the safety of data, they should also be ready to report any breaches of data within 72 hours of being noticed. In order to avoid possible penalties under GDPR and protect their good reputations, groups should ensure all of the above is in place by the 25th May 2018.
Summary: GDPR Requirements List
To summarize the first steps a group should take to put together a GDPR To Do List, we have compiled a GDPR Requirements List. Not every one of these requirements will apply to every organization – groups that gather, process or store personal data for its own benefit is known as a “Data Controller”. Organizations that process or store personal data for a third party should refer to the items on our GDPR requirements list tagged with “Data Processor”.
- Has your group put together a list of the personal data it holds, the sources of that data, who you share the data with, what you do with it, and how long you will maintain the data for? (Data Controllers/Data Processors)
- Has your group put together a list of where personal data is kept and how data flows between these places? (Data Controllers/Data Processors)
- Has your entity created compiled a publicly accessible Privacy Policy, outlining all the processes linked to the collection, processing and maintenance of personal data? (Data Controllers/Data Processors)
- Does your Privacy Policy outline the lawful basis why your organization needs to gather and process personal data? (Data Controllers)
- Has your organization carried out a risk assessment of its security measures, ensured any weaknesses or flaws are addressed and trained employees to be aware of data protection? (Data Controllers/Data Processors)
- If your organization does business outside the EU, have you appointed a representative within the EU who will be charged with reporting data breaches to the DPA and the data subjects whose data has been breached? (Data Controllers/Data Processors)
- For Data Controllers, has your organization created a contract with data processors and sub-processors to ensure you are advised of any data breaches? (Data Controllers)
- Has your organization existing mechanisms to allow individuals to request access to their personal information, to update or address it as necessary, to request their data is erased or transferred to another data processor? (Data Controllers/Data Processors)
- Does your group always request specific consent before processing an individual’s data, give them the chance to object to personal profiling or automated decision making that could impact them, and give them the right to easily take away their consent? (Data Controllers)
- Lastly our GDPR Requirements List, does your group have an itinerary in place for assessing the effectiveness of your GDPR To Do List, organizational compliance, changes in handling data, and amendments in your situation or legal obligations (for instance conducting a DPIA for high-risk processing)? (Data Controllers/Data Processors)