13 Aug 13 Must Have Steps for GDPR Compliance
GDPR (General Data Protection Regulation) came into effect on 25th May 2018, introducing a complex set of data protection rules that affect every global company that does business with citizens of the European Union. Forbes described the launch of GDPR as been as the “greatest change to European data security in 20 years.”
The European Parliament ratified GDPR in April 2016, giving companies just over two years to implement the regulations. Since then, the online world has been flooded with information to help businesses comply. The wealth of (sometimes contradictory) information has, in some cases, done more to confuse than inform.
With GDPR just coming into effect at the time of writing, this article will help you ensure that you’ve ticked all the necessary boxes – to ensure your initial and continued compliance with the regulations.
It runs through a series of steps and alludes to a fictional company owner called Jim.
Jim owns a medium-sized business and has done all he can to plow through all the information out there to achieve compliance. However, as is likely the case with many people, Jim has missed some of the nuances of the regulations and left himself and his company exposed to some risks. By following Jim through the steps, you do not fall foul of the new regulations.
What is GDPR?
GDPR stands for General Data Protection Regulation. It’s a detailed set of regulations imposed by the European Union concerning the collection, processing and storage customer data. Although GDPR is an EU initiative, it doesn’t only affect businesses in Europe; any worldwide company of any size that does business with customers in the EU must comply with the rules.
The 13 “Must-Have” Steps for GDPR Compliance
The 13 steps below each detail a potential problem in obtaining full GDPR compliance. They address common misconceptions and areas of the regulations where it’s easy to miss key details. Such mistakes can result in accidental non-compliance.
For each step, we use the example of where “Jim.” Like most business owners, he has tried his best to comply, but still fallen short of full GDPR compliance. We then move on to addressing each issue, making sure the details are suitably dealt with.
1. Auditing Systems and Data
What Happened During the System Audit?
Jim tried to think about everywhere in his business where customer data was stored, but stopped short of carrying out a full data mapping exercise. As a result, he failed to spot certain silos of data and make provisions for them, leaving him potentially non-compliant.
System Audit Background
To achieve GDPR compliance, your company must first consider every possible location where personal data relating to EU customers may be stored. This could include anything from a file within an email or saved locally on a laptop, to a cloud-based database, or a drawer in a filing cabinet containing paper documents.
Even if your business is small, the chances are that there are numerous places where you and your employees store customer information. These likely span:
- Multiple physical locations – filing cabinets, cupboards, satellite offices, home locations for remote workers
- Multiple devices – desktop PCs, laptops, mobile devices
- Multiple online locations – email servers, data centres, backup providers and cloud-based applications.
Despite being a complex process, data mapping enables you to understand where your customer data is and rationalise why you have it.
Also, as GDPR provides individuals with considerable rights to request access to all data held on them (see below), it’s essential to consider the location of all personal data, and how it can be easily retrieved.
System Audit Solution
You must carry out a full data mapping exercise for your company and ensure that this ongoing process includes any new systems brought online (more on that later in the article).
Key to every data map is:
- What data you have (Names? Email addresses? Records of phone calls? Address data?)
- Whether the data is deemed ‘special category’? E.g. ethnic or religious backgrounds, health or childrens data
- Where it is (physical/electronic/geographic location)
- What form the data is in (hard or digital copies, emails, database entries)
- How data is transferred
- How data is protected (physical security, encryption etc.)
- Who has access to the data
In many cases, a full data mapping exercise will uncover some areas where data storage isn’t fully GDPR compliant, allowing you to take mitigating steps.
Crucially, documenting this exercise helps your company to demonstrate and evidence the effort you have taken to comply with the GDPR requirements. In the event of a data breach, customer complaint or investigation, it will form a crucial part of your GDPR compliance documentation.
2. Establishing Roles and Responsibilities
What Happened with Roles and Responsibilities?
Jim thought that he could “shift the risks” associated with GDPR by calling in an external firm to help, outsourcing most data processing, and making the IT team take the lead on GDPR. However, Jim missed a vital point: as data controller for his business, the buck stops with him.
Roles and Responsibilities Background
Many companies offer services to assist you with compliance, and many firms have found these services invaluable in assisting with GDPR implementation. However, you cannot outsource your overall responsibility for GDPR compliance.
When it comes to third-party data processing, it’s essential that you remember that GDPR is all about accountability. Whileprocessors have significantly enhanced responsibilities under GDPR, and could find themselves subject to financial sanctions, it’s still your responsibility as a data controller, to ensure that all parties involved in the handling of personal data are properly compliant. This means confirming how they process data, having appropriate checks in place and robust contracts.
Making GDPR an “IT issue” is also a flawed strategy. The IT department may understand where silos of data are located and your overall IT infrastructure, but the team is often a step removed from the day-to-day business. They won’t necessarily know all the intricacies of how different departments work. Overall GDPR compliance should be part of your organisational culture, meaning that every single employee, partner, vendor or supplier has the responsibility to act in an GDPR appropriate way.
With all this in mind, the key thing to point is that you may, one day, have to provide evidence of the work you’ve done on GDPR compliance. A declaration that you “asked someone else to do it” is unlikely to wash with the Information Commissioner’s Office.
Roles and Responsibilities Solution
GDPR compliance is best treated as an ongoing team effort. Specialist advisers, third-party processors and department heads all have a part to play.
However, you must oversee every part of the process. Delegating tasks when you will become legally responsible for their completion is something that should only be done with care and oversight.
3. Appointing a DPO
What Happened When Appointing an DPO?
Jim heard that every company needed a Data Protection Officer (DPO). He decided that his Head of Sales and Marketing would be a good man for the job and handed the responsibility straight to him. By doing so, Jim misunderstood both the requirements and the purpose of this role.
Background to Appointing a DPO
The rules around Data Protection Officers are complex, so choosing who to select is nothing like choosing a suitable fire warden or first aider!
In many cases, companies don’t actually need a DPO under UK law. In fact, it’s only mandatory if your organisation is a public body, engaged in large-scale online behaviour tracking, or involved in processing “special categories of data,” such as those involving criminal records.
The Information Commissioner’s Office states that an appointed DPO should be “independent, an expert in data protection, adequately resourced, and report(ing) to the highest management level.” The chances are that this applies to few if any, staff within your organisation.
Regardless of whether it’s mandatory or not, it makes sound sense to nominate an individual, or a panel of individuals, to oversee ongoing GDPR compliance. It also makes sense to select people who have some level of independence in the organisation, rather than to tie GDPR to a specific department, such as IT or marketing.
Solution to Appointing a DPO
The most crucial step is to ascertain whether the law requires you to officially appoint a DPO. If your business falls into that category, you will need to select a suitably qualified team member, recruit someone specifically, or outsource the task.
Even if it’s not mandatory to do so, establishing who will manage GDPR on a day-to-day basis is a wise strategy, providing a single point of contact for all data protection queries from your employees.
One important thing to avoid is officially appointing an unsuitable and insufficiently experienced person as a Data Protection Officer, especially if your business doesn’t legally require one. Under GDPR, a voluntarily appointed DPO must still adhere to the same duties and responsibilities as specified by the regulation.
What is a DPO?
A DPO is a Data Protection Officer, who takes responsibility for data protection compliance within a company. Under the EU’s GDPR (General Data Protection Regulation), a DPO should be independent, properly resourced, and an “expert in data protection” in order to achieve GDPR compliance. DPOs in UK companies can be internal employees or outsourced specialists.
4. Creating a Data Protection Policy
What Was the Issue When Creating a Data Protection Policy?
Jim thought that ensuring his firm was complying with the GDPR requirements was sufficient, and that no more documentation was required. He was confident of this, especially as he concluded that the bulk of data processing rested with his cloud suppliers. However, this meant Jim overlooked the importance of governance related to GDPR.
Data Protection Policy Background
The Information Commissioner’s Office states that data protection policies are only required “where proportionate.” However, the ICOs own GDPR compliance checklist also suggests you keep “evidence of the steps you take to comply,” and that you “maintain documentation.”
GDPR requires you to prove compliance. The ICO recommends that even “smaller organisations” maintain “proportionate policies and procedures.” In the event of a data breach, you will be expected to evidence your policies, procedures and safeguards in place to the ICO. Obviously, the length and depth of your data protection policy will vary based upon the size and complexity of your organisation. Official GDPR guidance suggests putting a “privacy management framework” in place if you run a large company.
If your business is smaller, your data protection policy needn’t be an overwhelmingly complex document. Instead, it just needs to show “what you do and why.” It should cover the information you keep, why you keep it, and how you protect it. The policy should also detail roles and responsibilities, and detail the procedure for handling breaches and information requests (see below for more details).
Data Protection Policy Solution
If you’ve already completed a data mapping exercise, as per point one, you will already have a considerable amount of the information you need to flesh out a data protection policy. Policy templates are also widely available if you wish to use one as the basis for your own.
The key phrase to remember is “demonstrable compliance.” Your policy should achieve two key things: Firstly, it should be a working document that helps the business comply with GDPR. Secondly, it should be a document that allows you to prove you are fulfilling your legal responsibilities.
5. Educating your Employees
What Was the Issue With Employee Education?
Despite putting considerable effort into planning for and implementing GDPR, Jim didn’t involve and inform his employees and key stakeholders of the upcoming changes.. As such, there are staff members who are unaware of the details of the new legislation, and their related responsibilities.
Background to Educating Employees
GDPR affects everyone withinan organisation. Although individual staff members typically have varying levels of involvement in GDPR’s implementation and ongoing management, it’s possible for anyone to make mistakes that could compromise compliance.
Regardless of the time and expense of training, everyone in your company needs to understand the basics of GDPR. Staff must understand where there are limits and restrictions around how data is used, stored and processed.
In some cases you may encounter resistance from staff, as the boundaries of GDPR may remove some flexibility in how tasks were previously completed. For example, saving and storing unencrypted files ona USB key to work at home is now off-limits!
GDPR implementation and ongoing compliance simply cannot work in isolation. It needs buy-in and understanding from all stakeholders.
Solution to Educating Employees
It’s essential that you ensure that no staff member responds to “what is GDPR?” with a blank expression.
Unsurprisingly, dozens of companies have started offering GDPR courses – ranging from online offerings to classroom-based training. Depending on the size of your organisation, something like this may be appropriate. However, the key thing is that staff not only understand the basics of GDPR, but understand the specifics of how it affects their company and their work.
This takes us back to the data protection policy discussed in the previous point. By making this a working company document, you can make it a key part of your GDPR training.
6. Protecting your Network
What Happened to Network Protection
Jim thought that checking with the IT team that the company’s internal systems were “secure” was sufficient. However, he didn’t consider the many processes and devices that could provide access to company data. Every one of these “endpoints” provides an opportunity for a potential data breach to occur.
Background to Network Protection
In all sectors, from banking to healthcare, a considerable proportion of data breaches happen due to lost and stolen devices.
The Data Protection Act, which preceded GDPR in the UK, already stated that companies should implement “appropriate technical and organisational measures” to protect data. This means you should have already been considering issues such as the encryption of personal data, ways that systems can be accessed externally, and places where data can accessed such as on smartphones and other personal devices.
In the event of a breach, the ICO will undoubtedly want to look at the steps your company took to protect customer data. Allowing unfettered remote system access, use of unencrypted devices, or even just email access on smartphones, could all potentially be seen as a failure to take adequate security measures.
Network Protection Solution
Managing the technical side of GDPR compliance requires extensive input and support from your IT team.
Some necessary steps are obvious – such as making full disk encryption mandatory on laptops. Others require more thought, such as the use of encrypted VPNs when staff use public Wi-Fi to conduct company business. Similarly, there may be a need to review BYOD (Bring Your Own Device) policies, perhaps restricting the use of personal devices for company data – if there isn’t a sure-fire way to protect that data.
As with many parts of working through the GDPR checklist, this step requires you to look at the organisation as a whole – brainstorming absolutely everywhere that customer data can end up.
7. Considering HR
What Happened With Human Resources?
Due to GDPR’s primary focus on customers, Jim neglected to think about data his company holds on staff members. In fact, certain Human Resources data, which is often sensitive and highly confidential, is considered “special category data” under GDPR. Failing to make plans to protect this data leaves Jim at risk of legal action – from his own staff members.
GDPR defines certain sets of data as “special category data.” This was also the case under the UK’s previous Data Protection Act.
A considerable amount of personnel / HR data can find its way into this category. For example, you may store information relating to employees’ health for the purposes of keeping sickness records. Records on race, ethnic origin and union membership are other examples of HR data that’s considered “special category data.”
Just like customer data, you’re responsible under GDPR for storing this data is a safe, fair and lawful manner. It should be clear to staff how and why you process such data.
Essentially, the key thing to remember is that your employees are “data subjects” under GDPR as well as your customers. HR data is very much within the scope of GDPR and must be well protected.
8. Understanding Privacy Notices & Explicit Consent
What Happened with Privacy Notices and Explicit Consent?
Jim thought that with all this new policy and procedure documentation, he must surely have done enough to demonstrate GDPR compliance. However, he didn’t realise that a huge part of GDPR is also communication with the customers it affects. Failing to communicate adequately to customers about data protection still leaves Jim liable to legal consequences, however good his internal documentation is.
Privacy Notices and Explicit Consent Background
The launch of GDPR isn’t just about updating older data protection legislation to make it more appropriate for the modern, connected world.
It’s also about giving power back to individuals (data subjects), and allowing them to have full visibility of
- What data you’re collecting
- Why you’re collecting it
- Who has access toit
- How you’re storing it
- How long you’re keeping it for
If you’re responsible for GDPR for your organisation, an essential principle to understand is that of “explicit consent.” This principle makes it considerably harder for companies to use and process data unless customers have agreed to it “by a clear affirmative action.”
This means, for example, that if you have a customer email address, you can’t just add it to a newsletter mailing list. The customer must have given “explicit consent” for the email address to be used for that purpose.
GDPR should stop companies using crafty ways to get around using data for multiple purposes. For example, it’s not permitted for companies to “bundle” data usage consent in with other terms or conditions, or to use “pre-ticked boxes.” Both of these methods fall short of the customer taking a “clear affirmative action.”
In addition, customers must also be provided with straightforward ways to withdraw their consent at any time.
This is why, in the run up to GDPR’s launch, you no doubt noticed countless companies issuing updated privacy notices, and requesting “re opt in” to continue to receive communications.
Privacy Notices and Explicit Consent Solution
You must ensure that you’re providing customers will full transparency with regard to how and why their data is used.
Furthermore, you must ensure you have an audit trail so that you can evidence, on request, when a customer handed over data (such as an email address), prove that you made clear what purposes you would use the data for and also that the information held is up-to-date.
As discussed in section ten, below, you may find that in some cases you have stored data, such as an email list, where you can’t produce this audit trail. As a general rule, the only option is to delete this data to comply with GDPR. This is why so many companies sent out emails asking people to re-confirm and update their details in the run-up to the GDPR live date.
There is an additional basis for legal processing called ‘legitimate interest’ which we have discussed previously in our post ‘’5 considerations for GDPR’’. The ICO has some great guidance on situations where this may be appropriate, but also warns that despite its flexibility, it should be used in moderation. Data controllers must perform a ‘legitimate interest assessment’ prior to processing to ensure the balance between organisational and data subject interests.
9. Handling Access Requests
What Happened with Access Requests?
Jim didn’t realise that a key part of GDPR is that customers have a right to request a copy of the all the data his company holds on them with a month. As a result, he risks being completely unprepared when the first subject access request comes in.
Access Requests Background
GDPR incorporates a general principle known as “right of access.” This is an evolution of a right customers already had under the UK Data Protection Act.
The right of access rules specify that you must be prepared to confirm that you are processing a customer’s data on request, supply a copy of all the data you hold, and provide “other supplementary information.” This information primarily means processing information you would usually include in your company’s privacy notice(s).
The data controller (i.e. your company) is responsible for compiling the information in response to an access request. The general time-frame for responding to such requests is one month.
Although there is some provision under GDPR for charging an administration fee for providing the information, and / or taking longer to compile it, the wording of GDPR suggests that these options are only really relevant in extreme or complicated cases.
There’s also a “right of erasure” you must be aware of, usually referred to as the “right to be forgotten.” This means that, on request, any customer can request that you delete any information you hold on them. The time-frame for this is also one month, and some exceptions apply, such as where you’re holding data for legal reasons or “public interest” purposes.
Access Requests Solution
Your data protection policies and procedures need to make provision for the fact that customers may lodge an access request or exercise their “right of erasure” at any time.
A thorough data mapping exercise, as discussed in point one, makes actioning these requests far more straightforward. If you have full knowledge of where data is located – on local servers, in physical form, and within cloud services – it makes it much easier to ensure that you miss nothing when you compile or purge it.
It makes sense to build procedures for access and erasure requests into your data protection policy. That way you won’t have to“make it up as you go along” as and when you receive such a request. The policy should include who manages the process, and the form in which data will be provided to the customer.
10. Checking your Data History & Archives
What Happened to Data History and Archiving?
Over the years, Jim built up various mailing lists and databases. Some contact details were “bought in” in the early days of his business, and previous customers were added to various mailing lists. Jim only considered future data collection and storage when considering GDPR, and didn’t consider that continuing to use some of this existing data puts him at risk of breaking the law.
Data History and Archives Background
GDPR applies to all data – past, present and future.
As such, if you’ve ever purchased mailing lists, or built them from customer emails without people specifically “opting in,” there’s a good chance that you have no legal right to hold onto the data, let alone contact people using it.
This was a controversial issue in the run up to the live date for GDPR. The Guardian revealed that many of the “pre-GDPR” emails sent out by companies were illegal in themselves.
The basic fact is that you can’t send an email to an individual to ask for future consent to email them if they haven’t already provided that “explicit consent.”
Even in situations where you believe customers have consented to email marketing, for example, once again the burden of proof is on you. So, if you don’t have an audit trail to show when, where and how they provided consent, you are likely to be in breach of GDPR.
GDPR fines for breaches of this nature are very likely. In 2017, both Flybe and Honda were fined by the Information Commissioner’s Office for exactly this kind of offence.
Data History and Archives Solution
The solution to this point is a simple one: Only retain and process customer data if you can clearly prove “explicit consent.”
This may seem disappointing, especially if you’ve paid for datasets or built up marketing mailing lists in the past. However, without an audit trail, it’s the safe and legal option to abandon and delete such data.
With such extensive publicity around GDPR, consumers are increasingly aware of their rights. It seems likely they will exercise them if they are affronted by receiving unauthorised communications.
11. Preparing Your Breach Process
What Happened to Breach Processing?
Jim found a detailed GDPR compliance checklist, and thought that after ticking off all the boxes he was all set up for the future. However, because he didn’t consider the possibility of a data breach, he failed to put plans in place for what should happen. This has left him woefully unprepared for quickly responding to any future issues.
Breach Processing Background
Unfortunately, no infrastructure is completely infallible and , data breaches can and do happen regularly in companies of all sizes.
Breaches can happen as a result of human error, cybercrime, or undiscovered vulnerabilities in hardware and software. Often there’s nobody specific to blame.
GDPR includes strict rules on reporting breaches to the ICO, whether or not they’ve yet had a noticeable impact. The general rule is that breaches must be reported within 72 hours. Not all breaches require a report, with the exact rules hinging on “the likelihood and severity of the resulting risk to people’s rights and freedoms.” The ICO provides detailed guidance along with illustrative examples.
GDPR incorporates considerably more obligation to report breaches to the ICO compared to the previous Data Protection Act guidelines. Along with the strict 72-hour deadline, this illustrates the importance of having a procedure in place to handle a breach. It’s not something you’ll want to have to work out as it happens!
Breach Processing Solution
Obviously the most important thing to do is ensure that a data breach within your company is as unlikely as possible. This is covered in section six, above. Widespread use of data encryption is one of the most effective and straightforward strategies, and eliminates one of the most common causes of data breaches – data being taken from lost and stolen devices.
As mentioned above, a breach isn’t always somebody’s fault, but the duty to report it, and to deal with any related financial and reputational damage, will fall on you.
The first thing to do is include a process for reporting breaches within your data protection procedure. Knowing who to contact and how will save time if the worst happens.
It’s also worth considering how you would know if a breach had occurred. This can mean anything from ensuring you’re immediately informed as to any breaches occurring with your data processing partners, to the use of intrusion detection systems across your infrastructure .
Thirdly, although it’s not strictly related to GDPR, it makes sense to invest in cybersecurity insurance. Not only will this help protect you from financial liability in the event of the breach, it will give you access to experienced professionals to assist with the aftermath of a serious problem. This could extend to dealing with complaints and communications from customers.
12. Learning about Data Protection Impact Assessments
What Happened with Data Protection Impact Assessment?
Jim thought he’d learned all there was to know having implemented GDPR, but he wasn’t aware of the need for Data Protection Impact Assessments for future projects. As such, he risks starting off new projects without considering their impact on his company’s compliance.
Data Protection Impact Assessment Background
Data Protection Impact Assessments are intended to protect individuals when companies undertake projects that may involve undesirable use and processing of their data.
Examples of such projects include those that involve monitoring of public places, the use of biometric data, or the combining of data sources on a large scale.
While your company may not regularly undertake projects that require a DPIA, it makes sense to be aware of your obligations. In all cases, you must inform the ICO about projects that are deemed “high risk” after an impact assessment, and await their advice before proceeding.
Data Protection Impact Assessment Solution
It makes sense to familiarise yourself with the circumstances under which a DPIA is required under GDPR. You should also ensure that all staff with the autonomy to kick off and manage new projects are also aware of these guidelines.
Although this particular element of the regulation aims primarily at larger businesses and internet giants, it’s quite possible that any project that uses sets of data creatively could require an assessment.
Also – crucially – as with other areas of GDPR, these requirements are retrospective. So, if your company already processes data in ways that may fall within these boundaries, assessments are required for those ongoing projects too.
13. Ongoing Assessment
What Happened with Ongoing Assessment?
After feeling as if he’d dedicated weeks of his life to GDPR, Jim thought he could finally move on to something else! However, by not recognising the ongoing nature of the regulation, Jim risks becoming non-compliant as soon as his company starts using a new system or database.
Ongoing Assessment Background
GDPR marks the start of a whole new era in processing customer data. It’s not something you can implement and then forget about.
Say, for example, you implement a new email marketing system, or start storing data with a new cloud provider. At each point you must consider GDPR . This means updating your data map, confirming the new provider’s compliance, and updating your data protection policy where required.
All growing companies add new systems as they grow. Continuing to comply with GDPR means shifting the culture of your organisation. You have to ensure that you and your team always consider data protection as systems evolve.
Ongoing Assessment Solution
Ensuring ongoing GDPR compliance isn’t as onerous as it sounds. Once it becomes an everyday part of how things are done, it should become second nature.
There have always been a set of things to do when new systems are introduced. Including them in system backups, updating documentation, and making sure other systems are compatible. In reality, considering data protection should have always been on this list. Under GDPR this is considered ‘data protection by design and default’ which places data protection and privacy issues first and foremost in any situation involving personal data.
This brings us back round to the importance of ensuring there’s a person (or team of people) to take the lead with your company’s data protection responsibilities. By making information security core to your company’s culture, you can ensure that compliance is as easy as possible.
And by looking at GDPR in this way, it isn’t so much of a burden. Instead, it’s something that makes your organisation more secure, more responsible, and more mindful of the rights of customers.