The EU's General Data Protection Regulation (GDPR) has been in force since 25 May 2018, and so businesses have had plenty of time to get accustomed to the new rules.
Compliance was never going to be an overnight job. In fact, it's fair to say that it's fairly unlikely that most businesses will become 100% GDPR compliant, which is especially true for those legacy corporations with decades of older practices still awaiting reform. According to a handful of surveys released in the time since the May enforcement date, a swathe of organisations are yet to consider themselves fully compliant, particularly when it comes to newer mechanisms such as fulfilling their obligations as part of a subject access request.
The UK's Information Commissioner's Office (ICO) has said that it understands that transitioning to an updated set of data laws is a challenging task, especially for those businesses that aren't large enough to justify a dedicated data protection officer (DPO). While it's true that businesses must take every step possible to comply with the new rules, simply being able to demonstrate a willingness to comply will go a long way in the eyes of regulators.
For those setting up a business from scratch, a willingness to comply with the rules is doubly important, as there's no excuse for creating a new data process that doesn't have GDPR at its core.
The ICO advocates that organisations use their present efforts in compliance as a starting point from which they can build on. But what precisely does compliance with GDPR mean? To help you transform older business processes, or create new ones with GDPR in mind, we've complied a handy checklist to guide you.
IT and data governance
Audit all the information your organisation holds: You must set up a list of the personal data you hold and arrange it by type, i.e. names, addresses, phone numbers, and so on. You must also provide a source for each separate piece of information documented.
Establish how you store data, and who it's shared with: This could be a list of internal databases, but could also include offline stores and third-party storage providers. You must establish which parties you share your data with so that if you need to delete or amend that data, you can inform an associate organisation that they must also update their records.
Document how data is processed: Organisations will need to outline all processing activities, including keeping the name and contact details of the data processors, as well as the categories of processing carried out - and the transfers of personal data to an 'adequate' third country (one that is outside the European Economic Area, but whose data protection measures are deemed adequate for data transfers) or international organisation.
Refresh existing consents if necessary: Consent must be given freely, as well as being specific, informed and unambiguous; hinging on a positive opt-in. Under GDPR, you can't rely on pre-ticked boxes or opt-outs, nor bundle in consent with agreement to other terms and conditions. You must explain clearly and specifically why you're collecting certain data and what that data will be used for, plus which third-party controllers will be able to use that consent. You also need to make clear that users can withdraw their consent down the line, and make it easy for them to do so.
Go digital to meet today’s critical compliance and security requirements
Digital transformation helps companies meet critical compliance and security requirements
You should also keep consents separate – if you're asking users to agree for you to do different things with their data, you'll need to ask for their consent to each of these things. Although you won't necessarily need to refresh all existing consents gathered pre-GDPR, if you rely on consent to process data, you will have to ensure existing user consents meet these higher GDPR standards, or be ready to re-consent them.
Maintaining your customers' rights
Respect new and existing rights: You should examine your procedures to ensure they cover the new and existing rights customers have - including how you plan to delete personal data, or provide data on request.
Fulfilling Subject Access Requests (SARs): People's requests to access the data you hold on them must be fulfilled within a month, instead of 40 days, and data must be provided in a structured, commonly-used format, and you cannot charge a fee. Consider implementing a system for users to easily access their own data online, to reduce the pressure on staff handling a large number of SARs.
Right to rectification, restriction, and erasure: The new legislation outlines how users have more control over their personal data. The key to respecting these rights lies in understanding how your organisation plans to handle the flow of requests to amend any data inaccuracies, to comply with a demand that you stop processing someone's data, and to erase any personal data you hold on a subject, or move it to another organisation at their request.
Internal awareness and accountability
Implement staff training: A great many data breaches are inadvertent, and involve a degree of human error by staff with access to internal systems. Training all your staff to be aware of how GDPR affects their daily work not only maximises your organisation's chances of full compliance, but minimises any risk of suffering data loss or theft.
Educate decision-makers: Setting up an accountability and governance framework, involving executives and senior members of staff in your organisation, is key to compliance. Involving senior staff is not only important in budgeting for the compliance process, but for identifying the areas that may be at risk, and ensuring each department has a specific readiness plan to execute.
Appoint a Data Protection Officer (DPO): Your organisation must designate a DPO with the responsibility for data protection compliance if you carry out regular and systematic monitoring of individuals at scale, or large-scale processing of special categories of data, such as health records. The DPO must have the right knowledge, support and authority to carry out their duties effectively. Those that conduct data processing on a smaller scale, such as small businesses, are not required to have a dedicated DPO, particularly as they will likely be unable to justify the added expense, but should assess whether they can merge the role's responsibilities with an existing position.
Carry out a Data Protection Impact Assessment (DPIA): DPIAs are a fundamental part of GDPR, as they show the organisation has considered the risks associated with their proposed data processing, and therefore are used to justify any data processing to the ICO. Without it, the regulator is unable to determine whether a decision to proceed with data processing was calculated, which will likely be considered negligence in the event of an audit or data breach.
DPIAs are mandatory for certain organisations in cases where a new technology is being deployed, a profiling operation is likely to affect customers, or where there is processing of special categories of data on a large scale. However, DPIAs are generally helpful for establishing how risky certain data processing activities are, so your organisation should always perform one, regardless of the scope of the data processing activity. For a guide on how to perform a DPIA, head here.
Reporting data breaches: Every business has the duty to assess the nature of their data breach and determine whether the incident is likely to infringe on the rights of its data subjects. If the determination is yes, this must be reported to the ICO within 72 hours – including what data has been lost, any consequences, and what countermeasures you've taken.
If your business has determined that the incident will not infringe the rights of data subjects, for example in the case of encrypted data, the business is not required to contact the ICO but it must inform data subjects about the incident. It's vital to cooperate with authorities as fully as possible to both minimise the scope for suffering penalties, and to ensure your reputation does not suffer any undue damage.
If a business decides not to inform the ICO (based on the above determination), it must be able to justify this decision to the regulators should an audit occur.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.