A GDPR Journey: Where To Start and What To Do Next

Published by Alisha McKerron on 11 February 2019

The European Union’s General Data Protection Regulations (GDPR) impose many obligations on anyone who processes personal data, with substantial fines (art. 83) for any breaches. Although some of these obligations are not altogether new, they are much more extensive: having an extra material and territorial scope (art. 3), extending to data processors, (art.28) and giving data subjects enhanced rights (ch.III). The definition of personal data (art. 4) is much broader too. There is much more to worry about!

If you are non-complaint, what should you do, particularly if you do not have a budget to spent on making amends? Perhaps the starting point is for you to view privacy compliance, as the end destination of an ongoing journey. Your focus should be on travelling in the right direction and being able to demonstrate this. This way, regulators are more likely to focus less on you, and more on those who don’t comply or won’t comply. So where should one start?

The most visible starting point, for most organisations, has been the publication of a privacy notices before GDPR came into force. Less visible is the appointment of data protection officers (DPO) (art.37) which is required under the new regulations if you carry out certain types of processing activities. DPO’s can now report to one lead supervisory authority in instances of multi cross border processing which is a welcome change.

Privacy Notice

Preparing a privacy notice, is a good place for you to start, for a variety of reasons. Firstly, the content (art.13) of the privacy notice is regulated, which means you will have to find answers to the following questions, to prepare it correctly:

  • Who is collecting the data?
  • What data is being collected?
  • What is the legal basis for processing the data?
  • Will the data be shared with any third parties?
  • How will the information be used?
  • How long will the data be stored for?
  • What rights does the data subject have?
  • How can the data subject raise a complaint?

To find the answers you will need to update exiting data maps or prepare new ones. Data maps must reflect the current situation on an ongoing basis. You will need to show that you have at least one of the legal bases (art. 6) for processing. If you are relying on old consents, you will need to refresh them, so that they fall into the new definition of consent (art 4); if you are relying on legitimate interest you should complete a legitimate interest assessment. Checking your legal bases will help you better understand how you are using personal data.

You will also need to find out if the personal data you are processing is shared with others and mention this in your notice. Under the new regulations you are obliged to have a data processing agreement with every data processor you use. (Revising existing data processing agreements and/ or agreeing new ones, is an item to put on your things-to-do-next list).

The position regarding restricted transfers of personal data outside non EU countries has not changed that much: transfers continue to be restricted. There is however the thorny issue of Brexit looming. Have a look at the Information Commissioners Office guidance to help you decide if you will be effected.

If you are making international transfers of personal data, you must disclose this (art. 15(2)) and the permissible ground (ch. 5) you are relying on to do so. Grounds include: the European Commission made an “adequacy decision” about the country in which the receiver is based, or the restricted transfer is covered by appropriate safeguards (including binding corporate rules) or the restricted transfer is covered by an exception.

You must also disclose the use of cookies or similar technology under the GDPR and under the Privacy and Electronic Communication Regulation (PECR ) and ensure that you have a legal base under GDPR for any processing that ensues. (It is worth taking the time to understand the overlap between the PECR and GDPR as it can be confusing.)

GDPR provides that you must not keep personal data for longer than you need it and must disclose how long you will store the information. If you do not already have a data retention policy with a document schedule you should prepare one.

You must notify your data subjects of their enhanced privacy rights and new privacy rights and be prepared to respond if they choose to exercise their rights. New privacy rights include data portability (art. 20), the right to be forgotten (art.17) and safeguards for data processing by automated means (art. 22). (Ensuring that you have updated your policies and procedures to help your staff respond to new rights as well as the old enhanced rights (e.g., data subject access requests) in a correct and consistent way, is another item to add to your list).

Obligations with time constraints

After publishing your privacy notice, the next thing you should do is to identify any privacy obligations (whether under the regulations or by agreement) with time constraint attached. Reputational damage for non-compliance should not be underestimated.

One such obligation is the new duty to report personal data breaches (art.33) to a supervisory authority and affected individual. An internal breach register must also be maintained. GDPR requires you to notify the supervisory authority, without undue delay and not later than 72 hours after becoming aware of it, if the breach is likely to result in risks to rights and freedoms of a natural person. If the data breach is likely to result in high risk to the rights and freedoms of natural persons the data subject must be informed too, without undue delay. Questions worth considering include:

  • Do you have something in place (e.g. an API or web forms to document paper incidents) that facilitates both identifying and reporting on personal data breaches?
  • Do you have a consistent approach (i.e. risk assessment) to determine whether an incident is subject to a notification obligation or are you possibly over-notifying?
  • Are you determining jurisdictions impacted and the number of individuals involved on a consistent basis?
  • Does it make sense to create a diverse team to triage and risk rank to ensure that incidents are being escalated appropriately?

Another obligation with a time constraint, is revised subject access requests (art.12 and 15). Now a request can be communicated over the phone (art 15 (3)) and associated costs can’t be claimed. You must respond without undue delay and at the latest within one month (as opposed to the old 40 days) of receipt. The same new time period applies to the right to rectification (art.16). Again, it is worth checking that you have sufficient resources and policies and procedures in place to respond.

Conclusion

The most helpful way of tackling GDPR compliance is to view it as a journey to an end destination. Expect to discover compliance weaknesses on your journey and compile a things-to-do-next list to help propel you forward. To begin with it may feel l like your end destination is getting further away rather than closer, but don’t let this bog you down. What’s important is that you continually move forward in the right direction, are transparent with how you collect and process personal data and are constantly striving to keep your customer’s personal data secure.