GDPR : 8 frequently-asked questions
While the stir around the introduction of the General Data Protection Regulation (GDPR) has certainly died down since May 2018, the GDPR is still as relevant as ever to all organisations who process people’s data.
Here we answer a few questions that often crop up…
- How can GDPR compliance be automated?
- What are the security and privacy implications of the GDPR?
- What are the checklists for GPDR compliance?
- How is a GDPR gap analysis performed?
- Is GDPR part of the Data Protection Act?
- What is the data protection impact assessment in GDPR?
- What is the data controller role in GDPR?
It would be very difficult, if not impossible, to automate GDPR compliance. There are so many variables at each stage of the process. We always recommend that organisations seek tailored advice to ensure their own processes are compliant; after all, each businesses has its own organisational structure, systems and internal ‘quirks’!
In terms of data security, data controllers and data processors have greater responsibilities under the GDPR than they did previously. You should take steps to show that you are doing your due diligence when it comes to protecting the data you process. This may involve scrutinising the technologies and processing operations your organisation uses and making sure these are capable and reliable when it comes to keeping confidential data safe.
There is no one-size-fits-all approach to GDPR, as each organisation handles data differently, but the ICO has lots of helpful resources – including a data protection self-assessment toolkit, with a series of checklists for data controllers and data processors, data sharing and subject access and more – which businesses can use as a starting point.
A GDPR gap analysis is important, simply because you can’t solve a problem that you didn’t know existed! This is a process of identifying areas and systems within your organisation which may be at risk of a breach and need ‘tightening up’. You should instruct a data protection expert to do this, because it is one of the most important steps on your journey towards compliance, not to mention a complex and time-consuming process for the uninitiated.
The Data Protection Act 2018 replaces the Data Protection Act 1998, giving an updated framework for UK data protection law. It is not the same as the GDPR, but it sits alongside it. The DPA 2018 gives a framework for how the GDPR should be put into practice in the UK.
One of the characteristics of GDPR is increased accountability. There is a requirement under GDPR for businesses to undertake data protection impact assessments when putting any processes in place that use new technology that is likely to result in a high risk to data subjects.
Under GDPR, both data controllers and data processors have new obligations. The ICO defines data controllers as “the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.” They are the organisations who decide how personal data is processed, and what it is used for. If there is more than one person taking on this activity, using the same data for the same purpose, they are referred to as ‘joint controllers’. UK data controllers must also make sure that the data processors they instruct are also compliant. If data controller breaches their obligations, they may face action from an authority such as the ICO.
Generally, if you are a data processor, you will be working under a data controller’s instructions, but you will have your own responsibilities too. If you have any questions on your compliance responsibility, please contact us.
Our specialist GDPR and data protection solicitors will make the effort to get to know your business, using this knowledge to create workable solutions to any kind of GDPR compliance challenge you may face. Whether you’re looking for a comprehensive solution, training or help with certain aspects of data protection law, please contact us.We're here to help