THE ESSENTIAL of GDPR: WHAT YOU NEED TO KNOW

Author: Digidly Com

STEP 1 - AWARENESS Employees should be "in the know"

It is important that every member of an organisation understands how their role is impacted by a regulation and how they can contribute towards complying with it.

With the GDPR, we expect that the product development team to know what "privacy by design" means and how it should be incorporated into product workflows. A marketing team should know when they have a legal right to send emails to customers (and when they don’t). IT departments are expected to know what good security looks like. HR teams should be ready to respond to requests from individual members of staff in relation to their personal information.

If the regulator’s expectations

are not met by an organisation then that organisation will not be compliant with data protection law, including the GDPR. If your product development team doesn’t understand its responsibilities, non compliant products will be released which could lead to customer complaints.

If your marketing team sends out marketing emails to individuals when they have no right to do so, a complaint could be made to the regulator. If your IT department does not understand what good security looks like there could be a data breach which has to be notified to the regulator. And if your HR team does not respond to an information request from an individual, a claim could be made against your organisation by that individual.

In all these scenarios, there is a risk of bad publicity and fines resulting directly from a failure to train your staff. However, let’s not be too alarmist about all this. There are very positive reasons to train all your staff in GDPR compliance.

What does a compliant company look like?

A company that is GDPR compliant regularly trains all its staff. Firstly, the employees should be "in the know" with a general presentation.

Than the company conducts training and refresher sessions on a regular basis. It incorporates data protection training into its process for onboarding new employees and when retaining contractors.

A compliant company does not simply train its staff and then forget about data protection compliance – it embeds data protection compliance into company culture so that protecting personal information becomes second nature.

Appoint the persons responsible or a DPO

It is important to identify who, within your organisation, is responsible for privacy compliance and who else is involved:

  • individuals who are authorised to decide on important matters on behalf of the organisation
  • individuals who know about law, technology and data processing within an organisation
  • people who recognise the importance of privacy compliance.
DPO - Data protection Officer

The DPO is a position that the vast majority of companies will not need as they are either too small or do not carry out enough processing or profiling.

However you should undergo a formal assessment and make sure that you have written reasons as to your choice in case of any future enquiry.

Even if it is not obligatory, you can still appoint a DPO (art. 37).

In any case, you must appoint a DPO if:

  • you are a public authority or body
  • your work involves processing operations that amount to regular and systematic observation of individuals on a large scale
  • your job involves processing of special personal data on a large scale (see Step 2).
Any organisation is able to appoint a DPO

Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.

There is no specific training or certification needed for a DPO. What is required is they are familiar with the GDPR and with your organisation.

They do not have to undergo any specific courses but you should ensure that they keep themselves up to date on all relevant issues and future legislation.

They will manage any contact with the Data protection authority of your country.

STEP 2 - PREPARATION Inventory of personal data processing operations

To be able to act in accordance with the GDPR, you must firstly inventory the personal data processing operations within your organisation. You should know which data is used, by whom and for what purposes. Then you can assess what needs to be changed in order to be compliant.

You should inventory everything in a document.

Having mapped your data inventory, you will have a better idea of the data processing operations within your organisation, the greatest risks associated with those operations, and what will change for you. You can then decide what action to take and which subjects are a priority for your organisation.

Introduce a data minimisation policy: decide on your retention periods

The GDPR emphasises the obligation not to process more personal data than necessary. This is also referred to as data minimisation.

In this context it is important to determine how long you will retain the personal data and ensure that data is removed promptly.

Update your security policy and apply privacy by design and privacy by default

Under the GDPR you must take "appropriate technical and organisational measures" to secure personal data.

What is appropriate depends on the processing risk: you must be able to demonstrate that you have taken appropriate measures and are able to make your considerations in this regard readily comprehensible.

It is partly for that reason that it is important to check whether your security policy is still compliant and to update it where necessary.

Furthermore, the employees should read the new data privacy policy for complying with the new code. In addition, the GDPR introduces obligations in the field of Privacy by Design and Privacy by Default.

This means that as soon as you have chosen a medium for data processing or when designing systems or applications, you must take the personal data protection into account by implementing security measures and data minimisation, for example.

The standard settings must be such that only personal data is processed for a specific aim. The rights of those concerned must be taken into account at all times as well, which includes in the design of a processing operation.

Stakeholders and consumer’s awareness

A number of your data processing operations will probably be based on the principle of consent.

Lawful consent only applies if this is "freely given, specific, informed and unambiguous", without coercion. This can be given by means of a statement or an affirmative act, such as ticking a box, if sufficient information is also provided. The automatic, implicit assumption of consent or the use of prefilled tick boxes is not sufficient to obtain valid consent.

You must be able to demonstrate that you have obtained the valid consent of data subjects to process their personal data.

Furthermore data subjects are entitled to withdraw their consent at any time. This must be as simple as giving consent, and before data subjects give their consent, they must be informed of this right. Otherwise consent is invalid.

Check your processors and data processing agreements

A processor is a third party that processes personal data on behalf of an organisation.

These may include service providers who do the payroll accounting but may also include all kinds of cloud or other IT services where the service provider stores or can access your personal data.

So, you should send by email or post asking if the processor is compliant with the GDPR.

STEP 3 - IMPLEMENTATION Implements tools to respect the new rights of data subjects

The GDPR gives particular attention to the rights of data subjects.

For example, data subjects have the right to access and rectify their details. Moreover, individuals are being given even more opportunities to speak for themselves when it comes to the processing of their data.

Their rights are being strengthened and expanded. Therefore, evaluate your procedures for granting access, etc. and set out the conditions for individuals to exercise their rights under the GDPR within your organisation.

The information should, in principle, be provided at the time the personal data is collected.

DPIA: data privacy impact assessment

Under the GDPR you may be obliged to carry out a data privacy impact assessment ("DPIA").

A DPIA is an instrument that allows you to inventory a data processing operation before such an operation is carried out, so that measures can be taken to reduce those risks.

But when is there a need for a DPIA? A DPIA is mandatory for (envisaged) data processing operations which, given their nature, context and objective, represent a high risk to privacy.

There is certainly a high risk in the following cases:

  • if you assess individuals on the basis of personal characteristics and base decisions on those characteristics. This includes profiling and forecasting;
  • if you process sensitive personal data, such as data regarding health, data on crime or political preferences, on a large scale;
  • if you monitor people in public places systematically and on a large scale (e.g. camera surveillance).

In all other instances you must decide for yourself whether an operation entails a "high risk".

If your processing operation meets two or more of the criteria in our DPIA guide, you can assume that you must carry out a DPIA.

Draw up a data breach protocol and keep a register

Under the GDPR you may be obliged to report a data breach to the competent authority and/or the data subjects. A data breach refers to the access to or destruction, alteration or release of personal data to an organisation without this being intended. Data breach therefore covers not only the release (breach) of data, but also unlawful processing of data and unintentional destruction.

Under the GDPR you are obliged to report any data breach to the data protection authority of your country without delay, within 72 hours where possible. In addition, you could notify the data breach to your customers.

In addition, the GDPR imposes the requirement that all data breaches – both reported and unreported – that have occurred in your organisation, be documented in a register. Based on this, the competent authority can check whether you have complied with your reporting obligation.

Data leak protocol

To be able to comply with the aforementioned obligations, you must ensure that you are aware of a data breach as soon as it occurs and take appropriate action immediately. It is important to have a data breach protocol.

In the protocol you can record the steps to be taken if your organisation is confronted with a data breach, what information must be collected/recorded and/ or reported, by whom, and within what time frame.

For more information visit digidly.com.

Got any questions? Get in touch with us:

https://digidly.com/contact-us