The GDPR places great emphasis on accountability. It is imperative not only that you comply with the GDPR but also that you can evidence your compliance and can detect and report any data breaches.
Record-keeping is therefore essential. The records you are mandatorily required to keep will depend to some degree on the size of your organisation; subject to certain exceptions the GDPR places greater record-keeping obligations on organisations with more than 250 employees.
However, we suggest that all businesses should be able to demonstrate:
- that the directors / management have formally considered the new requirements imposed by the GDPR and are monitoring compliance as a standing item on their agenda
- the organisation's framework of accountability and how it works
- the training that has been given to staff and the measures that have been put in place to ensure they continue to understand their obligations
- the results of their preparatory audit, gap analyses and privacy impact assessments
- a clear understanding of the categories of personal data they process and its lifecycle within their organisation
- why personal data is processed and the applicable processing conditions applied (including how consents are obtained and kept under review)
- the length of time for which personal data is retained and why
- that data privacy is at heart of their decision-making and how this is achieved
- how policies and procedures have been changed to respond to the enhanced rights of data subjects
- how a data breach will be dealt with, reported and mitigated
Privacy by design
You may have heard the phrase "privacy by design"; it is not new. What is new is that "privacy by design" is now a legal requirement under the GDPR.
Privacy by design means that privacy and data protection compliance need to become integral to your risk management methodologies and practices. Whenever you begin a new project, launch a new product, or develop a new process or service line, you need to consider privacy and data protection issues right from the start, and factor them into what you do and how you do it. The same approach should be taken when evaluating existing projects, or as things change, to make sure that you remain compliant. If there is any doubt, the default position should be the option which is the most compliance-friendly.
This represents a shift in approach for many businesses who may currently view data protection and privacy as a side issue, considered only late in the day or not at all. Whilst many will regard the increased obligations introduced by the GDPR as onerous, others will view them as an opportunity – a way to differentiate themselves from the competition and minimise the privacy risks associated with doing business in a digitally connected world.
The GDPR contains an overarching obligation for data controllers to implement technical and organisational measures to integrate data compliance in this way. This includes making sure your third party processors have taken the steps they need to take to comply with the GDPR and that your contracts and arrangements with them are amended to the extent necessary to ensure that you, as data controller, can also comply.
The GDPR also contains a specific requirement for privacy impact assessments to be conducted on any proposed high risk data processing activities. Examples include where a large amount of sensitive personal data (such as health data) is processed or where data is statistically analysed and assessed ("profiled").
The purpose of a privacy impact assessment is to consider the impact of the envisaged processing operations on the protection of personal data and to minimise any associated risks. A single assessment may address a set of similar processing operations that present similar high risks.
The assessment must include:
- a description of the proposed processing activities and their purpose; and
- a consideration of the need for and proportionality of the processing, the likely risks and how these will be addressed
You should develop internal procedures for determining when a privacy impact assessment is required and when any unmitigated risks need to be referred to the regulator for prior approval.
Processing Conditions & Consent
Having established what data you process and its current lifecycle within your organisation, it is important to identify and potentially reassess the basis on which you are processing it - the so-called "condition for processing".
In many cases pre-GDPR, businesses would have relied on the consent of data subjects as the basis for processing their data. However, other bases exist and continue to exist under the GDPR. These other bases include where the processing is necessary to comply with a legal obligation, to protect vital interests, or for the performance of a contract between the data controller and the data subject.
There are three key reasons why it is important to reassess your basis for processing in the months leading up to the introduction of the GDPR.
1. If you want to continue relying on consent as the basis for processing data under the GDPR, the way you obtain it is likely to need to change
The GDPR requires consent to be freely given, specific, informed and unambiguous. If you want to process special category (sensitive) data, explicit consent is required.
Freely given: there should be a genuine choice on the part of the data subject as to whether and how you process their data, and the consent must be as easy to withdraw as it was to give. There should be no question of the data subject being misled, intimidated or negatively impacted by withholding consent. Where there is a clear imbalance or element of subordination in the relationship between you and the data subject, an alternative basis for processing should be found. Additionally, you should not make your performance of a contract conditional on the data subject agreeing to the processing of personal data you do not need to perform the contract.
Specific: the consent you obtain for the processing of personal data must be prominent, concise and separate from your other terms and conditions. If you are processing data for a range of purposes, you should provide a clear way to enable consent to be given or withheld separately for each purpose.
Informed: the GDPR requires specific information to be provided to the data subject, including the name of your organisation and the names of any third parties who will be relying on the consent. Individuals must have enough information to decide whether to consent to the processing of their data or not.
Unambiguous: a statement or clear affirmative action is required to signify that the data subject agrees to you processing their data. Consent can no longer be inferred from silence or from a pre-ticked opt-in box; instead, unticked opt-in boxes or similar active opt-in methods should be introduced with each option being given equal prominence.
Explicit: consent to process special category (sensitive) data must be expressly confirmed in a clear statement to that effect. No other affirmative action will suffice.
This does not necessarily mean you automatically need to refresh all the consents you intend to rely on under the GDPR, but you must consider whether they meet the new criteria and are sufficiently well documented. If this is not the case, you will need to obtain new, compliant consents or rely on another basis for processing (if one is available).
2. If you rely on consent as the basis for processing under the GDPR, the data subject has more rights than if you process personal data on another basis
Relying on consent as the basis for your processing means that the data subject has certain additional rights under the GDPR.
For example, if someone withdraws their consent and there is no other lawful basis for you to process their data, they have the right to have their data "erased". In this situation, in addition to erasing their data you also have certain obligations to tell any third parties to whom you have disclosed the data that it is being erased and that any links to it or copies of it should also be deleted.
Additionally, if personal data an individual has provided to you is processed by automated means based on their consent, they have the right to data portability. This means you need to provide their data to them in a structured, commonly used and machine readable form when they ask for it so that they can move, copy or transfer the data safely and securely.
3. There are special rules for obtaining consent from children for services requested and delivered over the internet
If you are providing services over the internet directly to children, you will generally need to obtain parental consent (unless you can rely on another lawful basis for processing). The GDPR allows countries to determine the age of children for this purpose as being anywhere between 13 and 16 years old. If you operate across borders, you need to have appropriate measures in place to accommodate the consent requirements for children in different countries, and you also need to implement measures to verify the age of the child and the responsibility of the consenting parent.
So, your compliance officer has had data protection compliance as one of his objectives since the year dot. He's bound to be all over GDPR. You definitely have it covered, right?
Data protection compliance can no longer be the responsibility of just one person in your organisation, or a matter of marginal concern. Everyone in the business needs to understand GDPR, what it is and the importance of putting data privacy at the heart of your policies, processes and practices.
This means that:
- the directors, or others responsible for the management of your business, need to have GDPR in the forefront of their minds. The widely-publicised penalties for breach of the GDPR and the equivalent legislation introduced in other non-EU countries (including the Channel Islands) are designed to make data protection an issue for those at the highest level of the organisation
- public authorities, and private sector businesses carrying on high risk processing, must appoint an appropriately qualified and independent data protection officer who is responsible for overseeing data protection compliance. The data protection officer must keep up to date with developments, report directly to management on a regular basis, and liaise with the regulator to the extent required. Other organisations who are not mandatorily obliged to appoint a data protection officer are encouraged to consider appointing a person or persons responsible for such matters, possibly by an alternative title (eg "data protection coordinator"), as a matter of good practice
- business should have accountability frameworks, so that all project and team leaders at every level of the business are given responsibility for ensuring compliance with the processes and procedures adopted in line with GDPR
- regular training should be given to all personnel so that they understand the key requirements of GDPR, what their obligations are and why this is so important to the business
Importantly, looking outside your organisation
, (to your suppliers and others who will process the personal data you control is key for the purposes of ensuring that they continue to comply with the GDPR. It is your responsibility as the data controller to exercise a high duty of care in selecting these data processors.
Prior to the inception of the GDPR, a fundamental component of the preparatory phase by data controllers and data processors was the conduct of a data audit. Controllers and processors that still have not undertaken this exercise will not sufficiently understand their data processing activities and are likely to be in material breach of the law. It remains open to businesses to conduct an audit. Doing so could greatly reduce the likelihood of complaints, breaches and sanction. It could also impact the severity of any sanctions imposed.
First, you need to understand the life cycle of all categories of data within your business. This means collaborating with the business leads across your organisation (such as the head of your HR, IT and Business Development teams), to identify:
- the entry point: what personal data you collect, where and who it comes from, how it comes into your organisation and why you are receiving it
- the process: where the data goes and what happens to it while it is in your organisation – where and how is it stored, who has access to it and why (is anything superfluous)?
- the inputs: what additional data is added from internal and external sources to the data you receive, who does it and why? Is any of this additional data inferred through profiling or similar means?
- the outputs: what will be produced with the data in terms of reports and other outputs?
- the exit point: when and how is the data deleted or exported from the organisation? If it is exported to a third party – who are they, what is the basis for the data being exported, and how and why will the third party process it?
Once you have mapped this information:
- you will be able to start to identify what has to change to enable you to comply with the GDPR
- you should document and keep the results to demonstrate what you have done to collate the information needed to underpin the development of your new data governance strategy.