• LinkedIn
  • Subcribe to Our RSS Feed
Browsing "Blog"

Suggested Actions for GDPR Implementation

Jan 10, 2018   //   by Know Your Compliance   //   Blog, General  //  Comments Off on Suggested Actions for GDPR Implementation

The Impending GDPR

There are not many businesses who haven’t heard of the data protection changes due on 25th May 2018! The General Data Protection Regulation (GDPR) (2016/679) brings data protection legislation into the 21st century digital age, enforcing a risk-based approach on those processing personal data.

With stronger rights for data subjects and tighter controls in areas such as transfers, data minimisation and the security of processing, the GDPR necessitates a review and revision of existing data protection measures and procedures; alongside the development and implementation of new requirements.

Checklists, Toolkits and Templates….Oh My!

The internet is now saturated with organisations offering tools, templates and solutions for GDPR compliance, and whilst many have a place in aiding the implementation of an effective data protection program, buying complete GDPR compliance ‘off-the-shelf’ is a myth!

Using pre-defined data protection policies, procedures and checklists (if developed properly), is a great way of building a compliant data protection regime with effective gap analysis, written procedures and supporting policies. However, these will not negate the time, effort and resources that organisations must spend on gaining and maintaining compliance with the Regulation.

Steps & Actions for GDPR Compliance

This section is certainly not an indefinite list or complete set of suggested actions; however, it does offer guidance from a range of sources on steps that can aid compliance in, and implementation of the GDPR. Such sources include our own knowledge and experience, the ICO checklists for controllers and processors, the Regulation (Articles and Recitals) and other guidance notes and papers.

  • GDPR Compliance Checklist – whether you purchase a checklist, use one of the ICO’s or create your own, utilising a checklist can help identify gaps and ascertain which areas of your data protection program need improvement or are non-compliant. Such actions are only as good as the checklist being used, so make sure that it is complete, compliant and relevant!
  • Information Audit – one of the ICO’s fist recommendations for GDPR preparation is to map the personal data flows within your business. Larger organisations can complete an audit in each business area if required, with SME’s often preferring to use one information audit for the whole business. The aim of the data map is to see how personal data flows into, through and out of the business and to document the what, where, who and how of all personal data. Template headings can include: –
    • Purpose of data
    • Types of personal data
    • Source
    • Where data is located & in what format
    • Legal Basis for Processing
    • Retention period
    • Recipients
    • Transfers
  • Review Consent & Privacy Notices – previous consent does not need repapering if it complied with the GDPR requirements when obtained; however, if not compliant you should seek fresh GDPR-compliant consent. Mechanisms for obtaining consent should be reviewed and privacy notices updated to ensure that they contain the Article 13 & 14 information disclosures. When reviewing/developing consent mechanisms, the ICO suggest that organisations: –
    • Check that consent is the most appropriate lawful bases for processing
    • Ensure that consent requests are clear, prominent and separate from any T&C’s
    • Give granular options to consent separately to different types of processing (if appropriate)
    • Provide name & contact details of your business & any relevant third-party who will rely on the consent
    • Explain the right to withdraw consent, note how to do this & make it simple and clear
    • Ensure individuals can refuse to consent without detriment & that it is not a precondition of a service
    • Have mechanisms for recording and managing consent, recording how & when consent was obtained
    • Regularly review consent to check that the relationship, processing and the purposes have not changed
  • Online Services for Children – if applicable, you must ensure that you have effective systems and controls in place to manage the consent mechanisms. Consider processes for verifying the age of an individual and if applicable, ensure that you obtain parent/guardian consent to process the data of a child 13 years or under. Privacy notices aimed at children must be concise, clear, easy to understand, easy to access and be reviewed regularly.
  • Data Protection by Design & Default – Article 25 refers data protection by default implementing appropriate technical and organisational measures, designed to implement the data protection principles and meet the requirements of the Regulation. Not just a single action, this function calls for organisations to adopt an approach that promotes security, privacy and data protection compliance from the start of projects and at the core of the business. It encompasses data minimisation, processing only that which is necessary, limited retention and restricted access.
  • Data Protection Policy – many organisations already have such a policy in place, however, the GDPR will necessitate a revised/new policy covering areas such as data subject rights, the business’s approach to data protection, guidance for employees and third-parties etc. The policy can also extend to include procedures for areas such as secure processing, data minimisation, transfers and disclosures.
  • Risk Management – the GDPR takes a risk-based approach and notes that ‘risk should be evaluated on the basis of an objective assessment, [to] establish whether data processing operations involve a risk or a high risk’. Organisations carrying out certain processes and functions are obligated under Article 35 to carry out a Data Protection Impact Assessment (DPIA) to establish if processing is likely to result in a high risk to the rights and freedoms of individuals. Alongside procedures for completing DPIA’s, businesses should have structured risk management policies and procedures as well as a risk register for documenting threats, vulnerabilities, and potential impacts.
  • Processing Activities – duplicating some of the data found on an information audit, some organisations may be required to maintain records of their processing activities under Article 30. If obligated, controller records should include: –
    • The controller/processor name and contact details
    • Details of DPO, joint controller & the controller’s representative (if applicable)
    • Purposes of the processing
    • Categories of data subjects & personal data
    • Recipients (who personal data is/will be disclosed to)
    • Transfers of personal data to a third country/international organisation
    • Documentation of suitable safeguards regarding transfers
    • Envisaged time limits for erasure of data
    • General description of the technical and organisational security measures
  • Data Protection Officer (DPO) – if you are obligated under Article 37 to appoint a DPO, you should document their duties and ensure that they have the support, resources and autonomy to carry out their role effectively and compliantly. The GDPR requires that a ‘DPO is designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred in Article 39’. In addition, controllers/processors are required to publish the contact details of the DPO and communicate them to the supervisory authority.
  • Staff Guidance & Training – a Data Protection Policy can also be a guidance document for staff; however, for employees who are directly involved in the processing of personal data, you should ensure a robust and thorough program for their support and training. Implement procedures to guide staff on how to manage the personal data that you hold and what to do when individuals exercise their rights (i.e. subject access or rectification). Reporting lines and DPO details (if applicable) should be disseminated, with specific data protection training workshops being included in all induction phases, as well as on a regular basis for existing staff or those returning after long absences.
  • Data Subject Rights – there are several rights for individuals under the GDPR (some similar to the existing DPA), so having clear procedures and mechanisms in place to allow for the exercising of such rights is essential. Subject access requests, rectifying data, erasure & restricted processing all require a written process that employees can understand and follow. In most cases, requests should be actioned within one month of receipt and be free of charge, with communication being in a concise, intelligible and easily accessible form. Your information audit can be useful for data subject requests in identifying where data is located, in what format and any disclosure recipients.
  • Data Portability – this area has new requirements for data protection and in certain circumstances, organisations are expected to have controls and systems for enabling individuals to ‘receive their personal data in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without hindrance’. The ICO suggest that businesses: –
    • Implement a process that will enable individuals to submit a request
    • Ensure that the medium in which the data is provided has appropriate technical measures in place to protect the data it contains
    • Ensure that the medium in which the data is provided allows individuals to move, copy or transfer that data easily from one organisation to another without hindrance
  • Information Security – this goes hand in hand with data protection and all businesses should review or implement an Information Security Policy. It should seek to cover areas such as data minimisation (i.e. encryption, pseudonymisation), secure storage, transfer and disposal processes, access controls, network & physical security, updates & patch management, remote access and internet use.
  • Data Breaches – an area that requires its own policies and procedures; having processes in place to identify, measure, monitor and investigate personal data breaches is mandatory, as is effective incident management. Organisations should seek to develop and implement effective processes to identify, report, manage and resolve any personal data breaches, with dedicated staff training and support being made available. There must also be mechanisms in place to ensure that the mandatory breach notifications to the ICO and appropriate individuals (if applicable) are made.
  • Retention Periods – implement or review existing retention policies and schedules so that you can see at a glance why, when and for how long data should be retained (e. legal or statutory reasons), and when it must be disposed of. Your retention program should be reviewed regularly with the role being assigned to a specific person/department to ensure compliance and continuity.
  • Processor Agreements – where you use third-party processors, it is essential that you have contracts/agreements in place to ensure they understand their obligations and responsibilities under the Regulation. Written processes should inform any data processors about the rectification, erasure and/or restrictions to data; if applicable, you should consider any standard contractual clauses and approved codes of conduct or certification schemes that can assist in the service agreement. Contracts should include certain specific terms, including the processor meeting the applicable GDPR requirements, regular reviews and audits of their service and processes, adequate security & technical measures and effective disposal processes.
  • Audits & Monitoring – having effective policies, procedures and controls to ensure data protection compliance is only half the process! Ongoing reviews, audits and monitoring of business functions and systems is essential for effective data processing and security. You should develop audit and monitoring processes that regularly review your data protection and associated policies and procedures for compliance with the Regulation and associated laws and test outcomes to ensure that they continue to be effective.
  • Non-EU Transfers – the GDPR enforces an adequate level of protection for any personal data transferred to, or processed by third countries or international organisations. Effective and robust procedures should be developed to ensure that any transfer of personal data outside the EU complies with the conditions laid out in Chapter V of the Regulation. Such conditions include ensuring that: –
    • There is a positive adequacy decision by the Commission; or
    • There are adequate, documented safeguards and measures in place (i.e. legally binding and enforceable instrument, binding corporate rules, standard data protection clauses)
    • Enforceable data subject rights and effective legal remedies for data subjects are available
    • Regular audits and monitoring of the documented security arrangements take place

Further Information

The Regulation itself is the obvious place to start obtaining information about the GDPR and the areas where documentation and measures are required. However, there is also a wealth of useful information that can assist in the development and implementation process: –

GDPR Preparation Steps

Dec 8, 2017   //   by Know Your Compliance   //   Blog, General  //  Comments Off on GDPR Preparation Steps

The ICO’s GDPR checklists are now available to complete via their website and offer useful guidance in preparing for the forthcoming GDPR. After completing the checklist, you are provided with a report with suggestions on actions to take to prepare for, implement & comply with the Regulation.

Below are a handful of the ICO’s suggested actions & measures from the controller checklist: –

• Organise an information audit across your business to identify the data that you process and how it flows into, through and out of your business
• Identify and document any risks you have found (i.e. using a risk register)
• Maintain records of processing activities in accordance with Article 35 (if applicable)
• Ensure you have procedures to guide staff on how to manage personal information
• Write or revise your Privacy Notice and ensure it covers the Article 13/14 requirements (i.e. the lawful bases for processing data, retention periods, third-party use, purpose(s) of processing, controller, processor and DPO details etc)
• Keep a record of when and how you got consent from the individual
• Have a process for recognising & responding to any subject access requests
• Write an effective Data Protection Policy or update your existing document
• Provide GDPR awareness training to all staff
• Implement procedures to allow individuals to challenge the accuracy of the information you hold about them and have it corrected if necessary; and to request the deletion or erasure of personal information (where applicable)
• Create records management policies, with rules for creating and keeping records
• Establish a process to monitor compliance with the policies & Regulation
• Whenever your business uses a processor, ensure there is a written contract in place
• Establish a clearly communicated set of security policies and procedures

It is well worth taking the time to complete the ICO checklists.

GDPR Compliant Privacy Policy or Notice

Dec 7, 2017   //   by Know Your Compliance   //   Blog, General  //  Comments Off on GDPR Compliant Privacy Policy or Notice

One of the most frequent questions we get asked about the new data protection Regulation, is how to write a GDPR compliant privacy policy or notice. The ICO has some excellent existing guidance on privacy notices and are updating their information all the time to ensure that firms of all sizes meet the GDPR requirements.

It is true to say that there is no exact ‘one-size-fits-all’ privacy notice that will cover every business, but using the Regulation, the Article 13 & 14 requirements, supplementing guidance from the Recitals, the ICO and the WP29, Know Your Compliance have now drafted a GDPR Compliant Privacy Notice and have included it at not extra cost in both our GDPR Document Set and GDPR Policies & Procedure Set.

As with all of our compliamce documents, corproate branding and customisation is required to ensure that you are fully compliant and you will need to edit some of the privacy notice content to ensure that it is fit for purpose and meets the Regulation requirements.

Our notice covers the required headings, such as who you are, what is your purpose and the legal basis for processing, retention periods, security measures & safeguards, controller, processer & DPO details, examples of processing purposes, third-party use, lodging a complaint and more.

ICO GDPR Checklists for Controllers & Processors

Dec 5, 2017   //   by Know Your Compliance   //   Blog, General  //  Comments Off on ICO GDPR Checklists for Controllers & Processors

The ICO are replacing their existing GDPR checklist with 2 new versions, one for data controllers, and another for processors. The controller checklist is available now, with the processor version being released tomorrow (6th Dec).

The checklists are designed to assess your compliance with data protection legislation and includes areas such as the new rights of individuals, handling subject access requests, consent, data breaches and DPOs.

Visit the ICO website to complete the GDPR checklists.

Our own GDPR Compliance Checklist provides an extensive gap analysis tool in Excel and Word for assessing your compliance with the Regulation requirements and for identifying gaps and areas for improvement before the GDPR comes into force. However, we have also designed the sections and questions to be beneficial after the Regulation is enforced, allowing the checklist to be used as a compliance tool during review audits.

GDPR Compliance Checklist

Nov 30, 2017   //   by Know Your Compliance   //   Blog, General  //  Comments Off on GDPR Compliance Checklist

How are you preparing for the General Data Protection Regulation 2018 (GDPR)?

GDPR Compliance ChecklistWhilst it is true that many firms will not be starting from scratch when it comes to developing and implementing effective data protection controls and measures; some of the new and stronger requirements posed by the GDPR will require policy revisions and new procedures to ensure compliance.

Start by reviewing, assessing and auditing your existing data protection procedures, measures, controls and systems using a GDPR Compliance Checklist and/or data protection gap analysis tool. Whether you purchase such a document or write your own, it needs to cover all aspects of the Regulation and to give you an appropriate and adequate checklist tool with which to assess your compliance with the new data protection regulation and laws.

It is also prudent to carry out an Information Flow Audit or data mapping, so that you can see what personal data you obtain, how you process it, the legal basis for processing, who you share it with and disclosure it to and relevant overseas transfers and safeguarding measures.

Once you can see the path that your personal data flows through; developing policies and procedures and ensuring that you comply with the Regulation becomes an easier task. An information audit or data mapping exercise also helps once the Regulation comes into force for ensuring that data subject rights are managed and complied with and notifications, data retention and breach procedures are adequate and tested.

GDPR Policy Template

Nov 30, 2017   //   by Know Your Compliance   //   Blog, General  //  Comments Off on GDPR Policy Template

Searches on Google for ‘data protection policy template UK’ have risen by over 2500% in the past 12 months, giving further evidence that firms are now starting to take the impending General Data Protection Regulation (GDPR) seriously and to prepare for the changes to UK data protection law.

A policy template for data protection is a great place to start, although most firms should already have such a document in place owing to their compliance with the Data Protection Act 1998! Starting from scratch may not always be required, but ensuring that you can meet the new and stricter requirements of the GDPR is essential.

So, what should a GDPR data protection policy contain?

At Know Your Compliance, we have many years and a vast array of knowledge and experience in policy writing and procedure development and have been providing data protection and compliance documents for over 5 years. When developing our GDPR Policy & Procedure document, we found that the vast array of areas to be covered in the policy, necessitated a suite of documents, instead of one policy that could soon become unmanageable.

Obviously, the larger or more complex the company, the more content will be required in the data protection policy to ensure that adequate and effective measures and controls are in place and that staff and third-parties have a working reference document that can support and advise them.

The standard requirements of a policy are areas such as a policy statement, document purpose, scope, objectives, responsibilities etc. But what controls and measures should you be adding to your data protection procedure document?

  • GDPR Principles
  • Lawfulness of Processing (legal basis)
  • Consent and Consent Withdrawal
  • Accountability & Governance
    • Privacy by Design
    • Encryptions
    • Pseudonymisation
    • Data Minimisation
  • Data Subject Rights
    • Subject Access Request Procedures
    • GDPR Information Disclosures
    • Rectifications and Erasures
    • Handling Objections & Data Portability
    • Lodging a Complaint with the Supervisory Authority
  • Processing Activities
  • Security of Processing
  • Data Breaches & Notifications
  • Data Retention
  • Data Sharing & Transfers
    • Adequacy Decisions
    • Binding Corporate Rules
    • Safeguards & Measures
  • Codes of Conduct & Certification

Above are just some of the areas that should be included in a GDPR Policy & Procedure, providing processes and procedures for ensuring that you are compliant with the Regulation, that individuals can exercise their rights and that personal data under your remit is safe, secure and protected.

Know Your Compliance provide a range of GDPR documentation and toolkits, aimed at helping you to prepare for the new data protection regulation and to remain compliant once it is in force. From ready-to-use GDPR policies and procedures, through to GDPR compliance checklists and data protection impact assessments, we are here to help.

Data Protection Officer GDPR Requirement

Nov 22, 2017   //   by Know Your Compliance   //   Blog, General  //  Comments Off on Data Protection Officer GDPR Requirement

Article 37 of the GDPR states when you are required to appoint a Data Protection Officer (DPO). The controller/processor must designate a DPO where: –

  • their core activities consist of processing operations which require regular & systematic monitoring of data subjects on a large scale
  • their core activities consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences
  • the processing is carried out by a public authority or body (excluding courts acting in their judicial capacity)

However, designating a DPO can be beneficial for many businesses, not just those where it is mandatory. Ensuring accountability and effective data protection oversight necessitates the GDPR requirements are managed, monitored and understood. Whether voluntary or mandatory, a DPO’s role is often pivotal in the secure and compliant processing and management of personal data.

The DPO role should be assigned based on a person’s professional qualities and expert knowledge of data protection law and practices. DPO’s must be able to perform their role in an independent manner, without instruction from the controller or processor and should be included in all issues relating to data protection.

Organisations are responsible for supporting their DPO’s, including training, resources and time and should never be berated or penalised for performing their tasks. A DPO’s duties include: –

  • inform and advise the controller, processor & employees of their GDPR obligations and data protection provisions
  • monitor compliance with the GDPR, data protection provisions & and with organisations’ data protection policies; including assigning responsibilities, awareness-raising & staff training
  • provide advice on data protection impact assessments
  • cooperate with, and act as contact point for, the supervisory authority

The full list of duties can be found under Article 39 of the GDPR, with detailed DPO Guidelines being available from the WP29.

Are the GDPR Recitals Important?

Nov 17, 2017   //   by Know Your Compliance   //   Blog, General  //  Comments Off on Are the GDPR Recitals Important?

YES! Organisations should be reading the Recitals alongside the Articles to ensure complete compliance with, and understanding of, the Regulation.

The Recitals provide a mixture of additional information and supporting context, supplementing the Articles and making them more relatable; as well as providing essential information for effectively implementing the GDPR.

Article 25 for example – Data Protection by Design & Default, relates to the risks posed by processing and the requirement to implement appropriate technical and organisational measures (naming pseudonymisation and data minimisation).

When read in conjunction with Recitals 78 & 83, additional context and insight is provided, with Recital 78 stating that in order to be able to demonstrate compliance with the GDPR, internal policies must be adopted and the appropriate measures can include: –

  • Minimising the processing of personal data
  • Pseudonymising personal data as soon as possible
  • Transparency of processing, enabling the data subject to monitor the data processing

Recital 83 advises controllers to evaluate the risks of processing and implement measures to mitigate those risks, such as encryption and ensuring an appropriate level of security, including confidentiality. Recitals 28 & 29 are specific to pseudonymisation, with Recital 77 giving context to the guidelines of risk assessments.

GDPR & The ePrivacy Regulation

Nov 14, 2017   //   by Know Your Compliance   //   Blog, General  //  Comments Off on GDPR & The ePrivacy Regulation

The Privacy and Electronic Communications Directive (2002/58/EC) goes hand in hand with data protection and focuses primarily on personal data, data protection and privacy in the digital arena. Known as the ‘ePrivacy Directive’, its core is rooted in the EU’s secondary law (Article 7 of the Charter of Fundamental Rights of the EU), the fundamental right to the respect for private life, regarding communications.

With the technological advances of the past decade, modernisation of the current data protection framework was essential, and so too followed a similar review of the privacy and electronic communications regulations.

The new ePrivacy Regulation proposes to replace the current Directive, working in conjunction with the GDPR, with specific focus on electronic communications data that qualifies as personal data. The new Regulation seeks to update the protection of the fundamental rights and freedoms relating to the confidentiality of information and communications (i.e. spam, traffic data and website cookies) and the respect for private life.

The new Regulation would be enforced in May 2018 alongside the GDPR, bringer stronger rules and a standardised approach to the regulation and protection of electronic communications. Some of the proposed Regulation changes are: –

● To streamline the cookie provision, with browsers being required to offer settings that provide an easy way to accept or refuse tracking cookies and other identifiers
● Opportunities for organisations to gain new business after consent has been given for communications data to be processed. Traditional telecoms operators will be able to provide additional services (i.e. producing heat maps indicating the presence of individuals).
● More effective spam protections with the banning of unsolicited electronic communications by emails, SMS and automated calling machines.

Read more about the proposal here.

GDPR Processing Activities Register Template

Nov 10, 2017   //   by Know Your Compliance   //   Blog, General  //  Comments Off on GDPR Processing Activities Register Template

Maintaining written (including electronic) records of processing activities is a GDPR requirement under Article 30, applying to controllers & processors with 250+ employees (and in limited cases , to those with fewer than 250 persons).

Recital 82 advises that “each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.”

Each controller must record: –
● Name & contact details of the controller (if applicable, joint controller or controller’s representative)
● Name & contact details of the data protection officer
● The purposes of the processing
● Description of the categories of data subjects
● Description of the categories of personal data
● Categories of recipients to whom the personal data has/will be disclosed (including third countries or international organisations)
● If applicable, transfers of personal data to a third country/international organisation (including their identity and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards)
● If possible, the envisaged time limits for erasure of the different categories of data
● If possible, a general description of the technical and organisational security measures referred to in Article 32(1)

Processors must maintain records containing: –
● Name & contact details of the processor(s) & the controller on behalf of which they are acting
● If applicable, name & contact details of the processor’s representative, and the data protection officer
● Categories of processing carried out on behalf of each controller
● If applicable, transfers of personal data to a third country/international organisation (including identity & if applicable, the documentation of suitable safeguards)
● If possible, a general description of the technical and organisational security measures referred to in Article 32(1)

If you are developing your own registers for the mandatory GDPR records, there are many formats suitable, as well as database options. We have used Excel for our recently launched Information Flow template and Processing Activities Register, which are free inclusions in our GDPR Document Set and GDPR Policies.