NB: This article is a substantially cut down version of a much longer article that we would urge you to read to learn about the GDPR essentials. Click here to view, download and/or print that longer version.
The European Union’s General Data Protection Regulation (GDPR) takes effect in the UK from May 25, 2018. It replaces the existing law on data protection (the Data Protection Act 1998) and gives individuals new rights and levels of protection regarding how their personal data is used. If your organisation holds personal data of any kind on individuals with whom you are doing (or have done) business, then under the terms of the GDPR, you are a “Data Controller” and you must be able to demonstrate compliance.
Achieving compliance with the GDPR is a “journey” and no organisation is expected to be 100% compliant immediately. However, all organisations with access to personal data are expected to demonstrate that they have at least taken the first steps towards compliance with the GDPR very soon after its introduction.
Here are brief descriptions of those first steps:
- Develop a Data Map – A data map sets out the data that your organisation holds, where it is and what happens to it. Click here to view, download and/or print a typical data map, which you can use as a guide.
- Assess how you store data and for how long – Much of the personal data you hold will be kept locally on your own computers and servers (and even good, old-fashioned filing cabinets). However, if you use applications involving cloud storage such as Gmail, Microsoft Outlook 365, Google Cloud Services or an online backup service, you need to be aware of the location of the servers used and whether your data is stored outside of the European Economic Area (EEA).
- Be clear as to why your organisation’s holding personal data is necessary and the lawful basis for your processing that personal data – Every organisation must be able to show that it has a legal reason to use personal data. In many cases you will most likely be able to rely on “contract” (employment related information, and sales or purchasing transactions); “legal obligation” (employee payroll, pension requirements, health & safety compliance, etc) and evidence of every recipient’s “opt-in”.to outbound marketing communications using “consent”.
- Develop a GDPR Security Compliance Checklist for Staff – Since you and your staff are almost certainly storing personal data as part of your organisation’s business activities, you should ensure all members of staff complete a “GDPR Security Compliance Checklist” Click here to view, download or print a typical example, which you can use as a guide.
- Develop a Data Protection Policy – Click here to view, download or print a typical example, which you can use as a guide.
- Develop a Subject Access Request Procedure – Click here to view, download or print a typical example, which you can use as a guide.
- Develop a Data Breach Response Plan – A data breach of any size is a crisis management situation, which could put an entire organisation at risk. Data security is not an IT issue, it is an organisational risk, and breach response should involve people from various roles across the organisation. Planning for a breach is therefore essential. (There is a comprehensive list of what needs to be considered when formulating a Data Breach Response Plan in the longer version of this article.)
- Appoint a Data Protection Officer (DPO) – To comply with GDPR, your organisation must appoint a DPO who will be the contact point for the Information Commissioners Office (ICO) and will be able to advise you of your GDPR obligations, monitor compliance, carry out/organise audits and raise awareness of GDPR and information governance issues amongst your staff.
- Determine if your organisation is already registered with the ICO – If your organisation is registered you do not have to pay the new Data Protection Fee until that registration has expired and you will receive notification from the ICO. Click here to search the register of data controllers.
- Consider whether your organisation uses third party data processors – If your organisation outsources IT support, payroll, marketing communications or CCTV, it is using third party data processors. You must have a written contract in place with these processors. The GDPR requires that all contracts where a company or other organisation supplies goods and services to the organisation and processes personal data must be in writing and must contain a proscribed list of provisions describing how the data is processed.
- Carry out a Data Protection Impact Assessment (DPIA) when you deploy new systems – If your organisation plans to deploy a new system – eg, CCTV, a new email system – you must carry out a Data Protection Impact Assessment (DPIA) in certain situations. DPIAs must contain a description of the processing and its purpose, and need to identify any risks to the personal data and the rights and freedoms of individuals, plus the measures and safeguards necessary to mitigate these risks. (There is a comprehensive list of what needs to be considered when formulating a DPIA in the longer version of this article.)
- Keep GDPR-related records up to date – Circumstances change over time. Consider the following aspects of your record keeping:
- Records of consent should be reviewed at least every two years and renewed every five years.
- Review your Data Map and amend it if necessary.
- Review and update all GDPR documentation. This should be done at least annually.
- Learn more about GDPR – For more information about the GDPR, visit the ICO website here.