It’s been four years since the introduction of GDPR, but the number of fines across the UK and EU rose sevenfold in 2021. While the cost is skewed by massive fines, an annual survey by DLA Piper shows there was still a steady increase in the number of GDPR fines last year.
During this time the UK has gone through Brexit, and we now have the Data Protection Act 2018 (UK GDPR) to ensure GDPR remains relevant to UK organisations.
GDPR ensures that personal data privacy is treated as a priority by businesses; the consequences of failing to safeguard customer data are serious. So how can you ensure that your business meets the requirements, and succeeds at GDPR? What do you need to do?
Follow our 8-step GDPR checklist to help you build a privacy framework that meets the Regulations and avoids those hefty fines.
1. Data Mapping and Discovery
Once you have assigned responsibility for the project and reviewed scope the first task is to carry out a data mapping and discovery exercise.
This exercise needs to be thorough and robust. It will enable you to identify the data flow, describe its lifecycle and understand key characteristics. For example, characteristics will include the type of data being processed, methods of collection and access.
The main challenge in data mapping is understanding all of the data your organisation holds. Often there are information silos and various formats of data across departments.
Use this information to help create your Records of Processing Activities required under Article 30 of GDPR.
2. Lawful Grounds
Ensure that you understand the lawful grounds under which you can hold and process personal data.
Many businesses focus on Consent, but consent grounds are often not the most appropriate. They should arguably be the last form of lawful grounds considered unless consent is stipulated by any laws or regulations that you may be subject to.
Lawful Grounds you can consider are:
- Consent
- Contractual Necessity
- Legal Necessity
- Vital Interest
- Public Interest
- Legitimate Interest
> Check out the lawful bases for processing outlined by the ICO
3. Gap Analysis
Once you have a clear view of your information, you can assess your current data security arrangements against the requirements of GDPR. Consider the following types of controls:
- Physical security: who has access to physical locations where the data is stored? Control your key holders and consider what additional physical security could be put in place to protect the data, such as locked cabinets and safes.
- Technical security: are your systems password protected and could you use 2-factor authentication (such as a mobile phone verification process)? Consider other technical measures such as encryption, stronger firewall configurations, reputable anti-virus and anti-spyware software.
- Administrative security: do you have policies and procedures in place that define how staff can securely handle personal data? Do your procedures include a way to ensure that you observe data retention periods?
4. Review Privacy Notice
Providing a clear and accessible Privacy Notice is a key requirement of GDPR. They help to ensure that Data Subjects have easy access to all the information they are entitled to under GDPR.
While Privacy Notices were required under the old Data Protection Act 2018, The Data Protection Act 2018 and GDPR goes further and requires more detailed information to be provided to data subjects. The emphasis is on making these notices easy to read, so that organisations make it clear to individuals how their data is used.
Data controllers must take ‘appropriate measures’ to ensure that individuals are aware of the facts at the point of first contact or data collection. The information that companies provide about how their data is processed must be:
- concise, transparent, intelligible and easily accessible;
- written in clear and plain language, particularly if addressed to a child; and
- free of charge.
Data mapping your information flow (as in point 1) will give you most of the detail required to write a robust Privacy Notice. GDPR simply brings into effect what has always been considered good practice.
5. Implement Policies & Procedures
GDPR means reviewing several internal policies, processes, and procedures to ensure that they meet the requirements. In some cases, new policies will need to be implemented. Areas to review include:
- Consent Process– review how you seek, record, and manage consent and update consents if necessary.
- Data Subject Access Requests – how will you handle and respond to these?
- Data Protection Impact Assessments (DPIA) – have a process in place to determine if and when a DPIA is required
- Security – ensure that data is secure through clear procedures as well as technical means
- Data Breaches – know how you will detect, report and investigate a data breach
Working through these stages will ensure that you are prepared for GDPR.
6. Contract your 3rd Party Processors
When you provide a 3rd party with personal data that you control, you suddenly increase your risk and liability for that data.
Any penalties issued as a result of a breach to that data are proportionate to the size of the controller’s (your) business. Whilst fines can now be levied against data processors (your service provider), they can ultimately be recovered from the data controller (you) where the Processor is unable to pay them.
In addition, where a company is part of a group of companies penalties can be recovered from anywhere within the group.
GDPR now has some specific requirements regarding 3rd party processors, including the requirements to have a contract in place that legally provides for confidentiality and the legal right to audit Data Processors.
7. Data Protection Officer
Your organisation should designate someone to take overall responsibility for data protection compliance within the business. In some instances, you may need to allocate a Data Protection Officer (DPO). Article 37 states that;
The controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body,
- the core activities require regular and systematic monitoring of data subjects on a large scale;
- the core activities relate to large-scale processing of special data—for example, biometric, genetic, geo-location.
These conditions apply to small and medium-sized enterprises (SMEs) as well as large corporate firms. The DPO’s role is to inform and advise the business of their data protection obligations, monitor compliance and advise on DPIAs.
Often this is not a full-time role; however, adding these duties to existing staff is not as easy as it sounds. A DPO must be independent and objective in their duties; must report directly to Senior Management and must have legal and technical expertise. Staff that interact with personal data, or report to someone who is responsible for personal data, is likely to have a conflict of interest.
To ensure that your DPO is fully competent you must ensure that the individual has relevant legal and technical expertise, plus invest in any relevant training to ensure these skills remain appropriate.
Where appointment of an internal DPO is not possible or where training is not viable there are options for virtual DPO services. Make sure you thoroughly check the credentials of providers if you take this route.
8. Communications & Staff Training
To ensure compliance across your organisation it is imperative that staff are fully aware of the obligations of GDPR. Data protection impacts many areas of a business, so it is crucial that employees understand why new data policies and procedures are required.
Effective communications should be a major factor for companies who want to succeed at GDPR. All staff should have knowledge on the basic principles of GDPR, with full training for those responsible for the collection, use and storage of data.
Awareness and training programmes should be regular to ensure ongoing compliance. For many businesses only now looking at GDPR compliance, training and awareness is one of the best ways of protecting themselves from breaches while they focus on implementing a Privacy Framework.
Source: Digital Guardian – Number of GDPR Fines Rose 7x in 2021