GDPR Action Plan Part 4
How to be GDPR compliant on an ongoing basisIn this article, we’ll look at:
- Identifying and rectifying your data privacy weaknesses
- How to write a Privacy Policy
- Some further resources
Background
In our previous articles, we’ve looked at:
- How to audit your business to understand what personal data you are collecting;
- How to identify the different types of ‘processing’ of that data, and what you are actually doing with the personal data you hold;
- The 6 lawful grounds for processing data under the GDPR.
The natural conclusion to this process is to pull everything together so that:
- You have identified any weaknesses in your data privacy processes – including understanding whether anything you currently do would constitute a breach under the GDPR;
- You can confidently assert your legal basis for processing your different types of personal data;
- You have a specific plan for rectifying any issues you discover;
- You can create a Privacy Policy that is effective in informing your data subjects and protecting you as a business.
Let’s crack on.
Identifying and rectifying weaknesses and potential breaches
The principle here is pretty straightforward – by identifying how you are processing individuals’ personal data, and establishing the lawful basis for doing so, you will naturally discover any situations where you are unable to justify (in GDPR terms) the processing that you undertake.
Some examples might include:
- Where you process a type of data without the level of consent that the regulation requires, and where there is no other lawful basis that you can rely upon – such as continuing to use an ‘implied’ consent model;
- Where you collect more data than is required to carry out the purpose for which it was collected;
- Where you are holding onto old (and probably out-of-date) personal data that you no longer have a legitimate reason for keeping;
- Where you are unsure where a type of electronic data is stored, or who therefore has access to that data;
- Where more people have access to personal information than is required, or the data is other non-secure.
There are probably many other examples, but the point is this:
In order to have a chance at GDPR compliance, you need to fix these issues – either by changing your internal processes to address the specific issue, or by stopping the ‘offending’ processing and securely removing any data that you have collected in that manner.
Pragmatically, the time to do that is before the GDPR comes fully into force on 25th May 2018 – because even if you have a plan to rectify the problem, if you continue to store data you have collected unlawfully beyond that date in May, you are technically committing a breach.
How you go about rectifying any issues is obviously going to vary between businesses, and it will be dependent on the type and scale of the issue.
The types of things that small businesses are most likely going to have to do will include:
- Creating a compliant Privacy Policy, and making it conspicuously available to people whose data you collect (we’ll move onto Privacy Policies later in this article);
- Changing the way your website forms work to ensure that there is a suitable ‘consent’ checkbox, with links to your Privacy Policy – and a process of tracking who has consented, and to what;
- Prior to the enforcement of the regulation at the end of May
- Speak to whoever looks after your company website to ensure that you fully understand the site’s use of cookies, where the website servers are physically located, and who has access to them.
, businesses may choose to contact their existing customers to secure their valid consent to things like marketing emails and newsletters – otherwise you may be in a position where you can no longer use that data;
Now is the time to start addressing those things.
Create a plan to ensure ongoing compliance
This is where all of the hard work that you’ve put in up to this point all comes together. The output of this stage of the process will be a Privacy Policy that documents, among other things:
- What data you collect, how you process it and the measures that you take to make sure that the data is secure;
- The rights that individuals have to the data that you hold about them – including how people can withdraw consent or object to how you process their data;
- Who is responsible for data privacy within your business, and how they can be contacted.
You will also need to ensure that everybody within your business is aware of the importance of personal data privacy, so that your best-laid plans are not undermined by others simply not following them.
Your Privacy Policy
Creating a compliant Privacy Policy is one of the few obvious ‘must haves’ that comes out of the GDPR. It is hard to see how any business can possibly be compliant without one – because it is your main opportunity to demonstrate that you are being open and transparent about the data you collect.
The exact details of what a privacy policy should say will vary between businesses, so I can’t tell you precisely what should do into it for your business, but the format I describe below should most definitely get you onto the right track.
Introduction & Commitment to data privacy
Whether this actually achieves anything tangible is up for debate, but it seems logical that a good place to start with a privacy policy is to state outright that, as a business, you are committed to maintain the privacy and security of the data you collect from individuals.
It serves as a good introduction to the rest of the document, and explains that collecting data is something that is necessary in order to run your business. It sets the context.
Identify yourself
It is important that you identify your business and clearly provide the contact details of who should be contacted for any data privacy matters. If you operate as a limited company, you should give your full company name and any trading names that you operate under.
Larger companies (over 250 employees) are likely to need to designate a specific Data Protection Officer (DPO), and this brings with it a whole raft of other requirements for record keeping and so on. Small businesses will most likely not require a DPO, but you still need to provide a clear statement of how people should contact your business with any data issues.
If this is in the form of an email address, you need to make sure that it is one that is regularly monitored – you do NOT want to inadvertently miss a privacy issue or complaint because there are timeframes in which you need to respond.
Describe what data you collect, how you use it and what your legal basis is for doing so
This might seem laborious, but if you’ve been following our suggested method for creating a Personal Data Log, you should already have all this information: you need to give a clear, plain-English description of the types of data you collect, why you collect it and what your legal basis for doing so is.
You might, for example, state that:
“if you send us a message via our website’s online contact form, we need to collect certain data from you (your name and email address). We need to use this information to respond to your request – but we will also always ask for your consent to process this data before you submit the enquiry, and you will see a link to this Privacy Policy. We will not use this data for any other purpose unless you have given us your additional permission to do so. We will not share this information with anyone outside of the organisation. The data may be held for up to 12 months (although this may be extended if you choose to create an account with us or purchase products/services from us).”
You will need to create a similar statement for each of the different data inputs that you have identified in your Personal Data Log.
Please note that if your business operates a website, you will need to include references to whether your website stores cookies on the user’s device and if so, what those cookies are. The details around Cookies are deserving of an article in their own right and we will address that separately.
Who you share the data with
Individuals will rightly want to know whether the data that they give you is kept entirely within the confines of your business, or whether it is shared with anyone else.
This is an opportunity to explain that you will never sell or otherwise share the personal data with a 3rd party for any reason other than the ones that you outline here.
How the data is protected
It is important to make it clear what steps you take to ensure the security of the data that you process. This might refer to the physical security of paper documents, or the username/password based restrictions that are placed upon electronic data.
The rights of the individual
The GDPR makes a number of clear statements about the new rights that individuals have over the data that you collect about them. Whilst this is public domain information, you must restate those rights within your Privacy Policy.
They are:
- The right for the individual to require you to confirm whether you hold any personal data about them;
- The right for the individual to require you to provide them with a copy of all of the data you hold about them, in a format that is meaningful to them;
- The right for the individual to easily withdraw any valid consent that they have previously given;
- The right for the individual to require you to rectify any incorrect or incomplete data that you hold about them;
- The right for the individual to require you to erase any personal data held about them (the ‘right to be forgotten’).
- For any data that you collect based on a lawful basis other than consent, the individual has the right to object to that processing, and you have a responsibility to consider that objection. The individual also has the right to require you to prevent any further processing of that data until their objection is dealt with;
- The right for the individual to make a complaint to the relevant data protection authority (which is the Information Commissioner’s Office in the UK)
- Generally, individuals can exercise these rights without paying you a fee.
Once you’ve digested these rights, you will realise that these are not trivial matters. Could you locate and erase all information relating to a particular individual if you needed to? And could you do it without deleting information relating to others?
When an individual contacts you to exercise any of these rights, we will generally refer to this process as a Subject Access Request (SAR). In general terms, you have one month to provide the information or take the action required within a SAR.