In her blog ‘GDPR is not Y2K’, UK’s Information Commissioner Elizabeth Denham has called the GDPR an evolutionary process and an “ongoing effort” that doesn’t end on May 25th, 2018. As businesses based in the European Union (or collect/process data of individuals based there) get ready for GDPR, this is the perfect time for organizations to review their systems and policies to ensure they follow data privacy best practices.
Here are 12 steps to help you in this process.
Step 1: Raise Awareness of GDPR and its Implications for Your Organization
It’s important to ensure that decision-makers and key members of your organization are aware that the law is changing and that they appropriately anticipate the impact and potential risks of GDPR.
Keeping the penalties for non-compliance in mind, it would be a good idea for organizations to train employees on how it plans to proceed while collecting, storing, or processing data.
Step 2: Conduct an Information Audit
Since the GDPR encourages a more disciplined treatment of personal data, you should document all personal data that you currently hold. This includes information about how the information was collected, its source, the purposes for which the data was collected, where the information has been stored, etc.
Once you’ve done this assessment, determine what you need to keep from the data you currently have. Undertaking a data protection audit will help you understand what your current processes are, and identify any gaps that may exist.
The GDPR’s rules on giving privacy information place emphasis on making privacy notices understandable and accessible. The law states that the information you provide to people about how you process their personal data must be concise, transparent, intelligible and easily accessible;
written in clear and plain language, particularly if addressed to a child; and free of charge.
Therefore, your organization should review its current privacy policies and communications to ensure they align with the GDPR stipulations.
Under GDPR, individuals have to explicitly consent to the acquisition and processing of their data. Pre-checked boxes and implied consent will not be acceptable anymore. You will have to review all of your privacy statements and disclosures and adjust them where needed.
Step 4: Outline Individuals’ Rights
Generally, the rights individuals have under the GDPR are the same as those under the outgoing Data Protection Directive, but they have some significant enhancements. The right to data portability, however, is a new one within GDPR.
As a part of GDPR preparation, you’ll need to review these rights and ensure that you properly understand the business impact of each such right. The next step would be to review your business’ communication and information material to ensure that it clearly states all necessary information and ensure that effective systems are in place to enable the organization to give effect to these rights.
You also need to ensure that you’ve established the policies and procedures to handle the wide variety of requests that the law gives individuals the right to demand.
Step 5: Plan for Subject Access Requests (SAR)
A Subject Data Access Request (SAR), referred to in the GDPR as a right of access, entitles an individual the ability to view what information an organization holds about them. Having a system in place to handle SAR effectively and within the legal timeframe is key to becoming GDPR-ready.
A practiced SAR plan should include, among others, the policies and internal processes to identify staff that need to be GDPR-trained. It should also define how your organization will establish a method of assigning SAR’s to trained individuals, along with deadlines and alerts, whilst retaining visibility and management reporting.
Step 6: Conduct a Data Processing Audit
Organizations may need to prove that they have a legal ground to collect or process data. Currently, most organizations use consent by default, but the GDPR toughens the rules for getting and keeping consent. It details out five lawful grounds for processing data. Organizations should learn when these grounds can be sought and adjust their data collection policies appropriately.
One of your key steps will be to document a processing data audit outlining the different data processing types your organization performs and the legal basis for why they perform them.
Step 7: Review How You Seek, Record, & Manage Consent
The GDPR lists specific requirements for lawful consent requests, but must also be given with a clear affirmative action. Consent requests must not rely on silence, inactivity, default settings, taking advantage of inattention or inertia, or default bias in any other way.
Check if your current consents need refreshing. You must have an audit trail of how and when consent was given so that you can show that you are compliant if challenged.
Since individuals are free to withdraw their consent at any time, you also have to have a system in place to remove them from your records.
Step 8: Safeguard Children’s Data
If GDPR’s rules on children affect you, take steps to ensure that appropriate parental consent mechanisms are implemented in your processes, including verification processes. Your notices, if addressed to children, must be child-friendly.
Remember that children will have the same rights as adults over their personal data. These include the rights to access their personal data, request rectification, object to processing and the right to have their personal data erased.
Step 9: Review Your Strategy for Protecting Your Data and Handling Data Breaches
Make sure you have a robust breach detection, investigation and internal reporting procedures in place. Equally, it’s important to have a response plan that addresses any personal data breaches that may occur.
Step 10: Adopt a Privacy by Design Approach
The GDPR requires organizations to adopt the principles of “privacy by design and by default” and embed appropriate security measures into their systems at the outset, rather than applying features retroactively.
Privacy by design is crucial for organizations not only as a compliance requirement but also because it nudges them to look at cybersecurity processes in a more focused and serious way.
Step 11: Designate a Data Protection Officer
The GDPR makes the appointment of a DPO mandatory for organizations regardless of their size or whether they are a controller or a processor in select circumstances. For more details on these specific circumstances and the responsibilities of a DPO, check out our earlier blog on “Responsibilities of a Controller, Processor, and Data Protection Officer According to the GDPR.”
Step 12: Determine International Authority
If you operate in more than one EU member state (i.e., you carry out cross-border processing), you should determine your lead data protection supervisory authority. The lead authority is the supervisory authority in the state where your main establishment is. Determining who the LSA is will require legal, practical, and strategic considerations.
Disclaimer: Please note that in this blog, we have provided basic information regarding the GDPR. WSI is not a legal authority for GDPR and can only offer advice on the best practices to follow while carrying out any digital marketing initiative. However, for advice regarding the legal interpretation of this law for your business, please approach a legal or data protection official.
If you want a quick checklist of all that we discussed above, download our “12-Point Checklist to Help Prepare Your Organisation for GDPR” by clicking here.