Getting your company ready for the new data protection regulations might take time, but the process is relatively straightforward.
In our previous post, we looked at the impact that GDPR is likely to have on your business, as you put everything in-line with the new regulation. In this article, we're examining the practical steps that you need to take to make sure that you're GDPR-ready for the deadline day, 25 May 2018.
1. Document everything
As there's a need to prove GDPR compliance, it makes sense to document everything as you go, as proof that you not only took the regulation seriously but also as a ledger of changes that you made to meet the new rules.
Placing one person in charge of this process (a data protection officer, if you have one), will ensure that all information is stored correctly.
Documentation should include data protection policies, access restrictions, workflow protocols, data collection policies, and contracts with third parties.
All data processing of personal data should be noted down, and you should include the legal information of why you're allowed to process that data. For example, if you're relying on consent, demonstrate how that consent was given; if you have a 'legitimate interest' or other legal reason to process the data then state what that is.
2. Train staff
Staff should be trained in the new GDPR regulation so that they understand how to access personal data securely and how to protect and keep it safe. For example, the importance of not copying personal data.
Remember, the weakest link is often a single person inside your company, so the better trained your staff are, the less chance there is of a data breach.
3. Protect your data
GDPR Article 25 expects data protection by design and by default (https://gdpr-info.eu/art-25-gdpr/), and requires high levels of protection on all personal data. At an absolute minimum, this means implementing encryption on all data stores. Going further, a privacy impact assessment, following the ICO's guidelines (https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf), can help you identify weak areas and help boost protection.
A key thing to think about is pseudonymisation, which is heavily suggested by regulations as a way of protecting personal data. According to the definition in the GDPR text, "‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information".
In other words, you store personal data separately from additional information, so that if there's a breach, it's hard to reconstitute the data. And, when processing the data, there's an additional level of security. Importantly, implementing pseudonymisation demonstrates a commitment to security.
GDPR adds incentives for companies that use pseudonymisation, allowing some additional flexibility. Recital 29 states, "In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible." (https://www.privacy-regulation.eu/en/r29.htm). Benefits are found throughout the legislation, including Article 6 (https://gdpr-info.eu/art-6-gdpr/), which states the viable ways in which data can be used for different purposes to those with which it was collected for, provided that it's "compatible with the purpose" for which the original data was collected. One requirement is the existence of appropriate safeguards, such as pseudonymisation.
While the GDPR still has to be adhered to with pseudonymised data, the ability to perform some additional processing is likely to be appreciated by many companies. Check the regulation carefully to make sure that your intended use of data falls within the legal boundaries.
As well as better securing your data, your business should also restrict access to personal data both internally and externally. By default, every person or external contractor should only have access to the minimum amount of data required to perform their roles.
Finally, all data has to be stored on GDPR compliant servers with the EU, so check any cloud hosting and third-party services that you use to ensure that data storage meets this requirement.
4. Rewrite data collection policies
Where you're relying on consent to process data, the point of data collection has to have very clear messaging and allow for a clear opt-in. And, consent documentation needs to state the purpose of the data collection and which third parties, if any, will have access to the data. The ICO's draft guidance on Consent has detailed guidelines on how to gain consent, so make sure that these rules are followed everywhere.
You should seriously consider implementing double opt-in, too. While not required by the regulation, double opt-in clearly demonstrates that consent was freely given and gives you a stronger argument to process data.
5. Create a breach protocol
Should the worst happen and you suffer a data breach, it's important to act responsibly and quickly.
Under GDPR Article 33 (https://gdpr-info.eu/art-33-gdpr/), it clearly states, "In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority." In the UK, the supervisory authority is the ICO.
Breach notifications can be provided in phases, as new information comes to light, provided that the initial notification falls within the 72 hour period. Importantly, your business "shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken".
And, with Article 34 (https://gdpr-info.eu/art-34-gdpr/), you need to let your customers know to: "When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay."
Implement safeguards and put in place protocols to detect breaches, so that you have the tools to respond quickly. Make sure that you run trial drills, and have policies in place to shut down systems and reduce data access to prevent further leaks.
6. Implement a right to be forgotten policy
Individuals have a right to request a copy of their personal details for free. As the ICO explains, "You must provide a copy of the information free of charge. However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive."
And, individuals have a right to be forgotten, whereby their personal details should be removed from your systems. However, you are allowed to retain data for certain reasons, such as for legal requirements, as set out by the ICO.
In both cases, you need to have the systems and processes in place to meet these new rights. And, it should be made clear to individuals how the right to be forgotten will work.
GDPR is there to protect the rights of individuals, but the ICO has made it clear that it's there to support and help companies get things right. GDPR, then, isn't a thing to be afraid of, but an opportunity to tighten security and improve the way that things are done. By taking careful steps to protect personal data and being able to demonstrate that you've taken appropriate action, your business can fulfil its obligations.
Become GDPR compliant
If you're looking to become GDPR compliant, the Cyber Essentials certification is a good way to start. Cyber Essentials is a simple but effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks.
Read more of our GDPR blog series here: