How do companies become GDPR compliant?
The media flurry around the introduction of the General Data Protection Regulation (GDPR) in May 2018 has quietened, but organisations shouldn’t be lulled into a false sense of security.
The more time passes, the less lenient national supervisory authorities such as the UK Information Commissioner’s Office (ICO) are likely to become in respect of data breaches.
It’s therefore more important now than ever to ensure that your organisation’s data processing activities are compliant. This guide doesn’t just apply to companies; firms, charities and all sorts of business structures are affected, if they process personal data. Here we run through the exercises that enable companies to become GDPR compliant:
General tips on how organisations and companies can become GDPR compliant
- Identify all existing data systems and the personal data processed
The best place to start is with a thorough audit of your data processing, storage and collection systems. Once you know exactly what you’re dealing with, then you can conduct a GDPR gap analysis to identify weak points in your systems, or the technologies you use, where there is a risk of a GDPR breach. It is advisable to instruct a data protection expert to do this for you.
- Ensure the resources to prepare for change have been allocated
Internal resource can be a challenge for even the slickest of organisations, so if there are still GDPR-related changes you need to make, you should identify the ‘who, what, where, why and when’ straight away.
- Consider appointing a DPO and whether this is mandatory
Under GDPR, certain businesses will need to appoint a Data Protection Officer (DPO). You might need to appoint a DPO if you undertake certain types of data processing, or if you are a public body or authority. They will keep track of your internal processes, make you aware of your obligations, be a point of contact between those whose data you process and authorities such as the ICO, among other things. There can be limitations on which people can perform this role internally, so it is not uncommon for the role to be outsourced. Contact us if you would like advice on whether you need to appoint a DPO or if you wish to explore outsourcing that role.
- Assess whether the business uses consent to justify processing
Under the GDPR, there are strict criteria as to what constitutes ‘consent’. It says that “consent must be given by a clear affirmative action, establishing a freely given, specific, informed, unambiguous indication of the individual’s agreement to their personal data being processed”. Simply failing to untick a pre-ticked box , for example, is no longer enough to count as ‘consent’.
- Establish a policy for handling data breaches
As the saying goes, fail to prepare, prepare to fail. No-one wants to think of what would happen should a data breach occur on their watch, but it is essential to have a policy in place which is read and understood by all staff, and covers exactly what should happen next.
- Develop and implement a policy on retention and storage of data, including emails
You should be clear and transparent across your organisation as to how personal data will be stored (and this includes emails). It’s not enough to write a policy and forget about it – you should continually check-in with others in your organisation to make sure these rules are being stuck to.
You will need to respond to data subject access requests (SARs) within a month of receiving them, and do so with a higher level of detail than previously required, without charging for it. Individuals are now able to request that businesses delete their personal data in certain situations; you should make sure your systems can comply with this request.
- Consider data protection when developing new technologies, services and goods and keep clear records
GDPR is no longer just a compliance ‘box-ticking’ exercise – it plays an important role in many key business decisions. For example, if your marketing team are creating a new website and its content management system processes sensitive data, or you introduce a new client management system which stores personal information, you should always keep GDPR top of mind and make sure every new technology you introduce supports compliance. Your business also has an ongoing requirement to keep those measures up-to-date.
- Review your international data flows and the contractual documents which underpin them
If you are a data controller and are engaging a data processor to handle personal data on your behalf, GDPR requires you to implement certain contractual protections for that data with the processor. If a sub-processor is engaged, then those contractual protections need to be passed on down the chain. Furthermore, if you are transferring personal data outside of the EU, you will need to consider how you will comply with the GDPR’s requirement to have ‘adequate safeguards’ in place for that data, if the destination territory is not one of those few whose data protection laws have been deemed ‘adequate’ by the EU Commission. This may involve having further contractual arrangements in place with the recipient of the data.
- Look at your privacy notices now and start updating them
Under the GDPR, you need to include certain wording in your privacy notice. It must cover the legal basis for processing the data, and the amount of time for which you hold it. You should communicate this in a clear way that is easy for people to understand.
- Review employment contracts, handbooks and policies
GDPR doesn’t just concern data of customers and clients; you need to take great care over your employee data too. Activity should include reviewing privacy notices for job candidates and other fair processing information given to employees, reviewing employment contracts, handbooks and policies.
You should also be proactive in training staff regularly on their data protection responsibilities. We can help you with staff GDPR training, audits and best practice advice on handling current, prospective and past employee data, so get in touch.
- Appoint an Article 27 EU representative, if you need one
If your business doesn’t have an establishment in the EU but you provide goods or services to, and/or monitor the behaviour of, individuals in the EU, and you process their personal data as part of this, you may need to appoint a Representative in the EU under Article 27 of the GDPR. This may become particularly relevant for UK-based businesses after Brexit.
Our Dublin-based sister company, Willans Data Protection Services, can act as your EU Representative. We can help you with holding data processing records, be a point of liaison between EU supervisory authorities and handle SARs – get in touch to find out more.
Our specialist GDPR and data protection solicitors will make the effort to get to know your business, using this knowledge to create workable solutions to any kind of GDPR compliance challenge that companies or organisations may face. Whether you’re looking for a comprehensive solution, training or help with certain aspects of data protection law, please contact us.We're here to help