Now that the new regulation has come into effect, it is time to double check your organisation’s policies and practices.
Although the GDPR deadline has now passed, it’s important for organisations to show that in the event of a regulatory investigation, they have taken reasonable steps to demonstrate they take privacy seriously – and ultimately comply. The good news is that fines for organisations that suffer a breach of personal data won’t be applied if they can prove they’ve taken the correct steps to comply.
The reality is that GDPR will be a continuous journey for organisations involving constantly reviewing data, removing low value data, looking at new data, following procedures, and maintaining trust with customers – by prioritising their privacy. Although many organisations are becoming better prepared for GDPR, here are some key, practical actions that must be taken now.
Double check the GDPR specialist
For those organisations with over 250 employees, a staff member will hopefully have already been made GDPR accountable as the data protection officer. Although they will possess a significant understanding of both the business and complexities of the data regulations – they must also operate independently within the business. Therefore, it’s critical that they don’t have any other responsibilities that may result in a conflict of interest.
Remember that employees count too under GDPR
All staff must receive a ‘Data Privacy Notice’ advising them that their personal data will be processed by the company under ‘legitimate interest’. Explain in simple language which personal data will be processed, the reasons and timeframe for doing so, what rights they have and who they should contact if they have concerns. Also, outline what happens if they leave the organisation and who else this personal data will be shared with.
Gain enterprise-wide GDPR awareness
Everyone within an organisation needs to know what the regulation means for them. This means establishing which areas of the business fall within the scope of GDPR, by identifying, assessing and mitigating privacy risks with data processing activities. For larger organisations, territories and jurisdictions must be looked at too – as well as standards and management systems that may be affected or could positively contribute to GDPR compliance.
Another task is to establish from the IT team if there are any imminent projects that involve personal data – as these will be candidates for privacy by design. This is critical as, privacy by design in a service or product, is taken into account, not only at the point of delivery, but also from a product’s inception.
Identify enterprise-wide data
Organisations hold huge volumes of data in all sorts of weird and wonderful places, so they must ensure that they’ve identified which types are held, where it comes from and the lawful basis for processing it. There are special categories of data that may invite stricter processing rules, such as getting explicit consent. Once all data has been sought out – it must be clearly documented with when, how, and why it was obtained; what is going to be done with it and how long its will be kept.
Audit data flow
Organisations will hopefully now have an understanding of how personal data follows within their business too – as well as where it comes from and where it is sent. This will help highlight risks in data processing activities and where controls are required. From this, it can be established if further effort is required to help identify, assess and mitigate or minimise privacy risks with data processing activities. The three primary conditions for an assessment identified in the GDPR are:
- Systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person
- Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences
- Systematic monitoring of a publicly accessible area on a large scale
Create or improve key policies and processes
According to Article 30 of the GDPR, companies will be required to record personal data processing activities including, but not limited to, the categories of data being processed, the categories of recipients of the data and time limits for keeping the data. Each business will also need a privacy notice, a data protection policy and have to update or review contracts with employees and suppliers – to ensure they are compliant.
These policies should explain what personal data is and why it’s important to keep it secure and protected. Everyone should be clear on what they can and cannot do with that data and must understand the consequences of non-compliance.
The rules around consent are clear: it must be freely given by the individuals; the information must be unambiguous, specific and with no jargon, and consent must be given affirmatively. Transparency is paramount: organisations must be open and honest with the people who provide their data about what is being collected, why it’s wanted, how it will be used and how it will be cared for – and that withdrawal of their consent is possible at any time.
To addresses citizen’s rights, requires more comprehensive outlines on how their data should be handled. Key changes include the ‘right of access’, which have expanded considerably and are required to be free of charge. Additionally, the ‘right to be forgotten’ has also been extended, with individuals now able to be ‘forgotten’ when they no longer want to have a relationship with that brand. This means that organisations should think about what processes are needed to accomplish this.
Check breach response
This response process to a data breach must become flawless. Organisations must therefore conduct practice sessions to ensure that everyone knows what is expected of them – so they’re able to alert the relevant authorities within 72 hours.
Seek additional expertise
If outside help is required, organisations should only consider GDPR partners that have hands-on experience, great relationships with other experts in the field, access to specialist tools – and possesses a strong track record in regulated sectors. Also, a potential partner should already be GDPR compliant themselves.
Also, ensure any partner complies with ISO 27001 to deliver the appropriate technical controls, policies, procedures and promote a culture of awareness of information security. Any potential partner should also follow ITIL best practices and help use it to implement and adapt processes for GDPR compliance.