It’s been four years since GDPR – which stands for General Data Protection Regulation – became law in the UK. And yet there is still a lack of understanding of what is required to be compliant. Essentially, GDPR controls the use of personal data of UK and EU residents, so that it is not used inappropriately.
These measures ensure confidentiality, integrity, availability and resilience of processing systems. They are reviewed and updated where necessary. Due to a lack of formal standards, there isn’t a one-size-fits-all approach to GDPR.
However, organisations are advised that, in order to achieve compliance, they should follow some basic principles when carrying out a GDPR compliance review. In this article, I will discuss these principles and how following them can strengthen your commitment to GDPR legislation.
Analysis of personal data
Nearly all types of businesses collect personal data and process it. Personal data is defined as information which can identify a person, while data processing computes personal information using specially programmed software.
As part of your compliance review, ensure that your Record of Processing Activities (RoPA) is correct. This includes:
- What types of personal data are you collecting?
- Who does it belong to?
- Where is it being stored?
- With whom is it being shared?
- Why do you have it?
- Do you still need it?
- Is it kept safe and private?
- Who can access it and why?
- What is your process for updating RoPA?
Data subject gights
Every person who shares their personal information with your business has the right to be informed about its collection and use. This is a key transparency as stipulated by GDPR. You must review whether consent is given freely and that it is specific, informed and unambiguous.
All businesses will need to:
- Review their opt-in process for consent;
- Review how they are managing ongoing consent;
- Review their opt-out process. Consent should be easy to withdraw;
- Review how they are recording consent.
For every individual who establishes a relationship with your company, and where there is an exchange of personal information, you will need to make them aware of the purpose for processing personal data. For example, data can be acquired via subscription, loyalty plan or online purchase.
You also need to inform them of the length of time personal data is being retained and who it is being shared with. This is called a ‘privacy notice’. A GDPR privacy policy is a document explaining an organisation’s obligations and practices for meeting its compliance requirements.
As part of your review, you must update your privacy notices when required. If you are employing staff, you will need to review whether you require further privacy notices to cover job applicants, as well as contractors.
And so onto Data Subject Access Request (DSAR), which is defined as: ‘A data subject should have the right of access to personal data which has been collected concerning him or her. And then to exercise their right easily and at reasonable intervals, to be aware of, and verify, the lawfulness of the processing.’
If a person submits a DSAR, your organisation must respond with a copy of any information you have on the subject. All individuals have the right to ask a company to delete their personal data, and companies must execute this request immediately.
With regards to data destruction, you will need to:
- Regularly review and update your retention schedules and destruction policies;
- Consider how to dispose of paper and hardware devices containing confidential personal data. You might also consider whether you need a shredding policy or whether you may be able to outsource the disposing of computer hardware securely.
Privacy risk assessments
When data is processed using new technologies, companies must take into account the nature, scope and context of where this processing occurs. This is covered in Article 35 of GDPR.
Before you start to process data, the controller must assess the impact of its operations to ensure there are no risks to the rights and freedoms of individuals. Regarding article 35, companies need to assess why they are relying on legitimate interests as a lawful basis for processing.
Security and data breaches
A data breach is also called a data leak and is a security violation. It occurs when sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by a non-authorised individual.
This can range from attacks by individuals who hack for personal gain or even malice. It happens when security systems are poorly configured or via the careless disposal of computer equipment or data storage media.
For example: When confidential documents, such as bank details, are left on top of a desk or office printer, this is considered a data breach because non-authorised individuals can access this information.
You must have a procedure in place for dealing with data breaches. You must possess the capabilities to detect when a breach occurs, and then investigate and report on it. You will need to review and update whether your technical and organisational measures are adequate for dealing with the type of personal data you are processing.
Consider obtaining certifications and standards, and always review your security processes after any breaches or vulnerabilities are detected. Install an incident response plan.
Training
You need to guarantee that GDPR and personal data training is updated and delivered on a regular basis. This should be in line with an employee’s role. Relevant training includes helpful examples that employees are likely to encounter in their daily roles. Education and awareness is a key risk preventer when done correctly.
Contracts
Contracts are essential so both parties understand their responsibilities and liabilities. GDPR explains what needs to be included regarding the storage and processing of personal data. Regularly review and update your vendor’s contract. Article 28 of the GDPR documentation covers this. Also review and update your insurance coverage/liability.
International transfers
If you are the data controller for your company, make certain you have identified all cross-border transfers, internally and externally. Check if your intra-group data protection transfer agreement is updated. Make certain you understand the data protection laws for all those countries you collaborate and have contact with.
For example: Argentina has issued two sets of contractual clauses for the international transfer of personal data. These relate to ‘controller-to-controller’, as well as ‘controller-to-processor.’ Therefore, you must conduct a transfer impact assessment or a transfer risk assessment – whichever is applicable.
Review and update, where applicable, cross-border transfers concerning UK citizens. You may need to enter into an International Data Transfer Agreement (IDTA) or an International Data Transfer Addendum (UK Addendum). It can all get extremely complicated.
Governance and accountability
Accountability is one of the key data protection principles. It makes you responsible for complying with GDPR and you must have the ability to demonstrate your compliance.
You will need to put in place appropriate technical and organisational measures which meet the requirements of accountability:
- Review whether your processing requires the appointment of a Data Protection Officer. If not, you may still want to appoint one anyway;
- Have records which demonstrate your compliance;
- Implement regular audits of your privacy framework to ensure ongoing compliance.
