In the run up to 25th May 2018 organisations throughout the UK struggled to understand the new legal framework of the GDPR and Data Protection Act 2018.
Frequently what was required was overlooked or misunderstood: here is your essentials guide. If you have implemented measures in these areas you are in a good place.
If you cannot say “Yes; indeed we do!” to all of these you need to address gaps urgently.
Records of Processing
There are strict requirements for records of processing activities where: (i) there are more than 250 employees, (ii) processing involves a high risk to rights and freedoms, (iii) special category (i.e. sensitive) personal data are processed, and (iv) criminal records data are processed.
Even for those who do not fall within these categories, it is necessary to have a record of the personal data you hold and the purposes the data are put to. Without this you cannot ensure compliance with your duty of transparency (see below).
Records of processing can be in the form of an audit, Data Asset Register or other documentation. They will include details of the relevant legal bases for processing.
The duty of accountability means you can be called upon by the Regulator to show compliance at any time.
You will have identified the other organisations who act as your data processors and you will be able to show that they are all signed up to the relevant data protection terms required by GDPR.
Transparency with Data Subjects
All organisations have to provide certain information about their processing activities, to those whose data they are processing.
This information must be provided to the individuals whose data is being processed when it is collected, or within 1 month of being collected (if it is collected from a third party).
If you are compliant with the duty of transparency you will have Privacy Notices or a Fair Processing Notice for all different types of data subject (i.e. employees, customers, marketing leads, etc) and you will have either sent this to all of the individuals whose data you process or made it available (e.g. on your website) and provided a link to the relevant web page.
You will have examined all of the different types of personal data you routinely collect, and either: (i) justified your use of them, or (ii) decided to no longer collect any unnecessary items of personal data. This will be reflected in your records of data processing.
You will also have a policy or schedule describing how long you retain different types of personal data and processes in place to ensure data is deleted appropriately.
Your policy documentation will include guidance on this principle and you will be able to show measures are in place to ensure personal data is kept accurate and up to date (or deleted if it is incorrect).
It is essential that you deploy adequate security measures to protect personal data (with more resources and effort deployed to security when the risk to individuals from a data breach is high).
All organisations will suffer data breaches form time to time, but those who cannot show they took adequate measures to protect personal data will face high levels of fines and damage to reputation.
Your records of processing activities will show an assessment of risk and that you have considered what is necessary and appropriate.
Wherever the risk of processing is high, you will have undertaken a Data Protection Impact Assessment and notified the Regulator if the risk cannot be reduced to a satisfactory level.
You will also have a policy to specifically address your approach to security and to provide guidance to your staff about how they must behave when handling personal data.
Data Subjects’ Rights
Individuals whose data you process have a wide range of new rights; your privacy notices will summarise these and you will be able to show policies and processes are in place to respond to these within the 30 day time limit.
Finally, as part of the duty to put data protection front and centre of your organisation, you will have ensured that all staff who deal with personal data understand their duties and responsibilities.
This is done by having appropriate internal policies and ensuring all relevant staff have undergone basic training.
This guidance is ‘headline news’ only. For more information about your duty to be able to demonstrate compliance with the data protection legislation:
for detailed guidance click here
for summary guidance on accountability and demonstrating compliance click here
for a reminder of the key principles that must be complied with click here