GDPR-weariness has flourished after the frenetic preparations in the run-up to 25th May. However, GDPR isn’t about quick fixes and compliance doesn’t stop after the sparkly new privacy notice is published, a training session is run, and internal policies written.
Here are 10 GDPR survival tips, (in no order of importance, and certainly not professing to cover everything that needs to be considered).
1. Personal Data Breaches – Be Prepared
As the recent Typeform breach teaches us, a hack into one back-up system can have a huge impact. Acting as a ‘processor’ for hundreds of organisations in the UK and globally, Typeform’s breach quickly became an issue for many controllers.
Having a data breach plan is crucial in ensuring you can meet the requirement to notify a supervisory authority within 72-hours if there is a risk to individuals’ privacy. Efficient, quick assessment of what’s happened and understanding how to assess the risk is clearly a challenge, as too is effectively notifying customers if you need to. A customer notification template on standby (which can be adapted to specific circumstances) can mitigate against a rushed, un-reassuring notification with adverse reputational consequences.
The importance of staff training simply can’t be underestimated. Staff that don’t understand the key principles of data protection put organisations at risk. Marketing teams that don’t understand how GDPR and ePrivacy interact risk breaching the rules. Employees who don’t know what rights customers have, risk missing an access or erasure request. Regular and appropriate training can also embed in the minds of staff how to avoid and recognise breaches. As we are always told, most data breaches come down to human error.
The ICO has clearly said that when considering contraventions of the rules and potential monetary penalties, it will take into account the level of training staff receive. If the ICO comes knocking, you are highly likely to be asked to provide copies of the training procedures you have in place.
3. Processor Contracts
One of the biggest headaches for many organisations in the run up to GDPR enforcement was identifying processors and trying to ensure adequate contracts were in place to cover the strict obligations under Article 28. This has proved particularly tricky for controllers where large-scale processors have expected them to sign up to their terms. This is certainly an area where the “compliance journey” rings very true – this will be on on-going process.
4. Policies, Procedures, Processes
Most organisations will have focused on their GDPR compliant Privacy Notices, and as your most public-facing document it was important to get it right (albeit I suspect there will be some tweaking taking place on these notices for months to come). But this is just the start of updating /creating the documents you should have in place.
Have you got a data protection policy, an information security policy, a DPIA procedure, an international transfer procedure, a marketing policy for ensuring compliance with PECR, robust processes for handing individual rights and a data retention policy? And, the list for bigger organisations is unlikely to end there.
Even if you have implemented a range of new/updated policies, processes and procedures, do the stand up when applied in practice?
5. Upholding Rights
Many could be mistaken for thinking individuals didn’t have any privacy rights before GDPR, but in fact they’re nothing new. They’ve been enhanced, not created, by the Regulation.
Understanding what individuals’ rights are (back to adequate staff training), when they apply, what the requirements are and how to ensure they are effectively upheld can go a long way to preventing unnecessary escalation of complaints.
Simon Blanchard of Opt-4 says; “You should think about individual rights in several ways. First you need to have a well-defined and tested process to manage information rights – subject access requests, right to object, erasure requests, and so on. But you also need to think hard about your processing, to make sure that the rights of the individual are properly considered across any processing your organisation does which might impact on those rights. No only marketing, but other areas such as the processing of employee data.”
6. Data Retention
We’ve all read Article 5.1(e) and understand the importance of storage limitation; not retaining data for longer that required for the purpose(s). Even if you have dutifully written your data retention policy, practically ensuring there is responsibility for implementing this across (in many cases) multiple departments, is likely to represent an arduous task. It shouldn’t be pushed back and overlooked. In the event of a breach, personal data you hold with no lawful purpose represents an even bigger and avoidable risk.
Simon Blanchard says, “Some businesses use a data retention schedule – typically a spreadsheet which lists the appropriate retention period against processing task.’This is good governance and a useful reference for your staff as well as helping to meet the evidence requirements under GDPR.”
7. Privacy By Design
The principle of Privacy by Design is nothing new, but Article 25 embeds it in data protection law. Organisations are required to ensure appropriate technical and organisational measures (TOMs) are in place to implement data protection principles and safeguard individual rights. Data protection should be integrated into all personal data processing activities and business practices, at the point of inception and throughout the lifecycle.
A key tool for implementing a Privacy by Design approach is Data Protection Impact Assessments (DPIAs – often still referred to as Privacy Impact Assessments). See our DPN Guide to DPIAS.
Simon Blanchard comments, “Privacy by Design is often thought of as a concept for the IT team. You have to make sure your IT systems have appropriate security and privacy controls in place – which for some means a change of approach for new system design and an upgrade for existing systems. But for many businesses a lot of everyday processing takes place by individuals outside the technology stack an on Excel spreadsheet or other files. Sounds familiar? So I see PbD as broader than an IT team responsibility, it should be organisational. PbD is a great concept to engage your senior management team – privacy must be ‘baked in’ across the whole organisation. Which involves reviewing all your processing to make sure risks are mitigated and appropriate compliance controls are in place.”
8. LIAs – The Balance of Interests
So, you’ve assessed your lawful bases for different processing tasks, identified where you are relying on Legitimate Interests, documented this and informed individuals of what these interests are in your sparkly new Privacy Notice, but have you completed all the necessary Legitimate Interests Assessments (LIAs)?
This is another area which is in danger of being overlooked. Remember, Legitimate Interests can be challenged, and you may need to publicly provide the detail of how you balanced your business interests with the interests and privacy rights and freedoms of individuals. See the DPN’s Legitimate Interests Guidance (this includes a sample LIA template and an example of a completed template).
9. International Transfers
Guaranteeing that any personal data transferred outside the EEA is adequately protected is nothing new, organisations have grappled with model clauses and binding corporate rules for many years. GDPR has just further highlighted the requirements and in some cases made some organisations take note, when they were perhaps hitherto unaware, they were potentially breaching the rules.
Furthermore, if you are using a processor outside the EEA, you need to not only meet the requirements for safeguarding data transferred outside the EEA but Article 28 to boot.
When it comes to transferring data to the US, for the time being, ‘adequacy’ can be achieved if a US organisation is signed up to the EU-US Privacy Shield. But this is facing a serious challenge and could be overturned. Further down the line, there is the big Brexit question, if Britain leaves the EU will it be awarded ‘adequacy’ status?
Last, but by no means least, “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”. [Article 5.2]
Of the 99 GDPR articles, 39 require evidence to demonstrate compliance. Dare I mentioned the dreaded Record of Processing Activities? Even if this has been completed it will be an ever-evolving, fluid and undoubtedly substantial document to maintain.
Even for smaller organisations who do not fall under the requirement to have an RPA, there is still a need to ensure you can clearly demonstrate and provide evidence that you take privacy seriously.
Overall, the overriding GDPR principle of transparency is the absolute key to any organisation’s compliance. Ensuring privacy notices are clear, easy to understand and informative is crucial. The ICO would expect any organisation to ensure it can demonstrate it has informed individuals of how it uses their personal data. There should be no surprises.
Written by Philippa Donn, Opt-4 Associate and Editor of the Data Protection Network