The ProCheckUp 12 Steps to GDPR Guide
The ICO has released 12 steps to comply to the GDPR. Below are ICO steps along with ProCheckUp’s recommendations for attaining compliance.
Communicate with decision makers about the changes the GDPR will bring. If they understand the impact it will have, you’ll be more likely to gain their support sooner rather than later: look at your risk register if you have one.
- Compare your own company with compliance programs which are currently running and the crossover with EU GDPR. An example would be ISO27000 or PCI DSS programmes.
- Be proactive in creating awareness on GDPR regulations; this may include education pieces for the entire organisation, or at least anyone who does anything with customer data within your company.
Document the personal data you hold – where it came from and with whom it’s shared. Look within and outside your entire organisation as well as in specific areas. Consider the value of an information audit.
Create a customer data flow diagram for your network. This should give you a clearer indication of the data handlers/controllers/processors and you can begin to map processes against these.
- - Know what and where information is
- - Investigate how information flows through the business
- - Include ingress and egress points for data from third parties
- - Know what it’s used for and document this clearly
Review and update privacy notices and policies
Review your privacy notices and policies and build a plan for accommodating change.
Make notices clear and easy to understand, keep away from any “legalese” or jargon. Privacy notices need to clearly identify the following:
- - The identity and contact details of the data controller
- - The purposes of the processing, if that is one of the conditions for lawful processing
- - The period for which the personal data will be stored
- - Countries or organisations that the processor may transfer the data to and the level of protection afforded by that country
- - The source of the data if it has not been collected from data subjects themselves
- - Whether providing personal data is voluntary or obligatory and the possible consequences of not providing the information
- - Any other information necessary to guarantee the fair processing of individuals’ data
- - Recipients or categories of recipients with whom the personal data are likely to be shared
- - The data subjects’ rights, including: right of access to own personal data, right of correction, erasure, to object to processing, and the right to lodge a complaint with the ICO
Know individuals’ rights
Your procedures should address all the rights given to individuals. These include: having inaccuracies
Correcting, erasing information and preventing direct marketing without consent. Make sure you know who is making decisions about deletion and if your systems support this. Don’t forget to explore data portability and the formats you use to supply information.
Be aware of the main rights of individuals and how they impact your business operation. These rights include:
- - where and by whom their data is being processed
- - to have inaccuracies corrected
- - to have information erased;
- - to prevent direct marketing
- - to challenge and prevent automated decision-making and profiling
- - data portability; allowing the customer to obtain their own data and use for their own purpose across different services, this must be done in an open format (CSV or otherwise)
Be ready for subject access requests
Update your procedures so you can handle requests within shorter timescales, including correcting inaccurate information. If you deal with a lot of requests, you may want to invest in online access.
Look at how data is stored and whether it is easily accessed by the correct data controller and how this can be sped up in a controlled way. Online access by the customer may speed this up. but would need to be reflected in your risk register after presenting the data to the internet.
Have a legal basis for processing personal data
Know why you’re collecting and using personal data and make sure you have a legal basis beforeyou process it. You need to be able to explain legitimate interests, not just make the claim.
- Understanding the purpose of the data being collected There needs to be a legitimate reason for collecting it and informed consent must be obtained. 7. Review consent
- Assess how you are seeking, obtaining and recording consent. Consent needs to be freely given, specific, informed and unambiguous. Consent cannot be inferred.
Consent needs to be explicit and straightforward. Remember that consent can be revoked at any time and you are required to give notice every time the original agreement changes.
Look after the children
Consider how you will verify age and collect consent from parents and guardians. Your privacy notice must be suitable for children.
- If your service targets or engages children, the privacy notice has to be child centric. you must also gain consent from their parents/guardians.
- In the UK,a child is classed as someone younger than 13. You must identify these within your data and ensure that there are specific controls placed on these records.
Have procedures for data breaches
Currently, not all organisations are required to notify the ICO when a breach happens. The new regulations ask everyone to do this. Set clear procedures to detect, report and investigate breaches.
Breaches must be reported within 72 hours. Ensure that appropriate breach notification policies and procedures are in place and know how to use them.
Data Protection Impact Assessments and Data Protection by Design
Certain activities, such as automated processing or processing of sensitive data on a large scale, require a prior Privacy Impact Assessment (PIA). The ICO has created a corresponding guide. In addition, particular new systems and processes must be developed with privacy in mind so that the solutions comply with the privacy principles.
Think about the protection of privacy and data at the start of a project, perform a risk assessment for the impact to personal data, ensure all teams are aware of the impact. Make sure these are maintained.
Appoint a data protection officer
Organisations that routinely monitor data or process sensitive data on a large scale must hire a DPO.
Appoint someone who is knowledgeable in data privacy to oversee this. This could be a new role depending on the size and complexity of your organisation.
See the global picture
If you operate in other countries, determine which data protection supervisory authority you come under.
- If you touch EU citizen data you are going to haveto comply with GDPR.
- Map out where the data resides and define the Authority you will sit under.
To book an impact assessment about how GDPR will affect your business, contact us at firstname.lastname@example.org