GDPR Action Plan Part 4How to be GDPR compliant on an ongoing basis
In this article, we’ll look at:
- Identifying and rectifying your data privacy weaknesses
- Some further resources
In our previous articles, we’ve looked at:
- How to audit your business to understand what personal data you are collecting;
- How to identify the different types of ‘processing’ of that data, and what you are actually doing with the personal data you hold;
- The 6 lawful grounds for processing data under the GDPR.
The natural conclusion to this process is to pull everything together so that:
- You have identified any weaknesses in your data privacy processes – including understanding whether anything you currently do would constitute a breach under the GDPR;
- You can confidently assert your legal basis for processing your different types of personal data;
- You have a specific plan for rectifying any issues you discover;
Let’s crack on.
Identifying and rectifying weaknesses and potential breaches
The principle here is pretty straightforward – by identifying how you are processing individuals’ personal data, and establishing the lawful basis for doing so, you will naturally discover any situations where you are unable to justify (in GDPR terms) the processing that you undertake.
Some examples might include:
- Where you process a type of data without the level of consent that the regulation requires, and where there is no other lawful basis that you can rely upon – such as continuing to use an ‘implied’ consent model;
- Where you collect more data than is required to carry out the purpose for which it was collected;
- Where you are holding onto old (and probably out-of-date) personal data that you no longer have a legitimate reason for keeping;
- Where you are unsure where a type of electronic data is stored, or who therefore has access to that data;
- Where more people have access to personal information than is required, or the data is other non-secure.
There are probably many other examples, but the point is this:
In order to have a chance at GDPR compliance, you need to fix these issues – either by changing your internal processes to address the specific issue, or by stopping the ‘offending’ processing and securely removing any data that you have collected in that manner.
Pragmatically, the time to do that is before the GDPR comes fully into force on 25th May 2018 – because even if you have a plan to rectify the problem, if you continue to store data you have collected unlawfully beyond that date in May, you are technically committing a breach.
How you go about rectifying any issues is obviously going to vary between businesses, and it will be dependent on the type and scale of the issue.
The types of things that small businesses are most likely going to have to do will include:
- Prior to the enforcement of the regulation at the end of May
, businesses may choose to contact their existing customers to secure their valid consent to things like marketing emails and newsletters – otherwise you may be in a position where you can no longer use that data;
Now is the time to start addressing those things.
Create a plan to ensure ongoing compliance
- What data you collect, how you process it and the measures that you take to make sure that the data is secure;
- The rights that individuals have to the data that you hold about them – including how people can withdraw consent or object to how you process their data;
- Who is responsible for data privacy within your business, and how they can be contacted.
You will also need to ensure that everybody within your business is aware of the importance of personal data privacy, so that your best-laid plans are not undermined by others simply not following them.
Introduction & Commitment to data privacy
It serves as a good introduction to the rest of the document, and explains that collecting data is something that is necessary in order to run your business. It sets the context.
It is important that you identify your business and clearly provide the contact details of who should be contacted for any data privacy matters. If you operate as a limited company, you should give your full company name and any trading names that you operate under.
Larger companies (over 250 employees) are likely to need to designate a specific Data Protection Officer (DPO), and this brings with it a whole raft of other requirements for record keeping and so on. Small businesses will most likely not require a DPO, but you still need to provide a clear statement of how people should contact your business with any data issues.
If this is in the form of an email address, you need to make sure that it is one that is regularly monitored – you do NOT want to inadvertently miss a privacy issue or complaint because there are timeframes in which you need to respond.
Describe what data you collect, how you use it and what your legal basis is for doing so
This might seem laborious, but if you’ve been following our suggested method for creating a Personal Data Log, you should already have all this information: you need to give a clear, plain-English description of the types of data you collect, why you collect it and what your legal basis for doing so is.
You might, for example, state that:
You will need to create a similar statement for each of the different data inputs that you have identified in your Personal Data Log.
Please note that if your business operates a website, you will need to include references to whether your website stores cookies on the user’s device and if so, what those cookies are. The details around Cookies are deserving of an article in their own right and we will address that separately.
Who you share the data with
Individuals will rightly want to know whether the data that they give you is kept entirely within the confines of your business, or whether it is shared with anyone else.
This is an opportunity to explain that you will never sell or otherwise share the personal data with a 3rd party for any reason other than the ones that you outline here.
How the data is protected
It is important to make it clear what steps you take to ensure the security of the data that you process. This might refer to the physical security of paper documents, or the username/password based restrictions that are placed upon electronic data.
The rights of the individual
- The right for the individual to require you to confirm whether you hold any personal data about them;
- The right for the individual to require you to provide them with a copy of all of the data you hold about them, in a format that is meaningful to them;
- The right for the individual to easily withdraw any valid consent that they have previously given;
- The right for the individual to require you to rectify any incorrect or incomplete data that you hold about them;
- The right for the individual to require you to erase any personal data held about them (the ‘right to be forgotten’).
- For any data that you collect based on a lawful basis other than consent, the individual has the right to object to that processing, and you have a responsibility to consider that objection. The individual also has the right to require you to prevent any further processing of that data until their objection is dealt with;
- The right for the individual to make a complaint to the relevant data protection authority (which is the Information Commissioner’s Office in the UK)
- Generally, individuals can exercise these rights without paying you a fee.
Once you’ve digested these rights, you will realise that these are not trivial matters. Could you locate and erase all information relating to a particular individual if you needed to? And could you do it without deleting information relating to others?
When an individual contacts you to exercise any of these rights, we will generally refer to this process as a Subject Access Request (SAR). In general terms, you have one month to provide the information or take the action required within a SAR.