GDPR - 10 Steps to Compliance
We are all hearing a lot about the General Data Protection Regulation (GDPR) at the moment, and rightly so. The changes we need to make are sweeping and, in my opinion, these will have as big an impact on us as the journey to FCA authorisation did.
We’ve held a series of seminars on the subject and participants have been surprised at the level and complexity of some of the changes, for example, the need for multiple fair processing notices depending upon the type of data you are processing or controlling.
Our job is to make the rules as simple as possible, therefore, we have created a simple 10 step process which, if followed, would help you to become compliant by the May 2018 deadline.
The very first thing to do is understand exactly what data you process, who (in and out of the business) processes it and how long you retain it for. Sounds simple doesn’t it? However, you need to follow GDPR’s definitions which means you should be differentiating consented data from non-consented data as well as data received directly by you from the data subject to data received by a third party. Remember, processors include any third party dealing with customer information, for example, printing providers.
This is a huge job and it is recommended that a cross departmental working party is formed to undertake the project.
Gap-analysis: Have a GDPR practitioner review your current practices, mapping out where you would fail to meet the GDPR standards – this is the most efficient method to determine the changes you need to make.
Risk-manage the changes required, factoring in the time required for each change. This gives the working party the ability to create an action plan phasing in the changes throughout 2017.
Create a new Data Protection Policy which includes a data map detailing the information you hold, the right you have to process that information and which of the 8 rights apply to that data. The new policy should also detail your use of privacy impact assessments, privacy by design, breach notification processes, supplier management and retention and how you will maintain relevant audit trails.
Create a process for, amongst other things, each of the 8 rights.
Manage your suppliers. Your processes created in step 5 need to interlock with your suppliers so that if a customer invokes one of their rights to your supplier, your supplier is notifying you of your responsibilities to respond and vice versa. Equally, there are now certain statutory clauses you are expected to include in supplier contracts which must be added.
It is also worth ensuring that suppliers notify you of breaches so you are able to remain compliant with your responsibility to notify the ICO within 72 hours.
Invoke quality assurance on suppliers to ensure they follow each process correctly. Seed accounts seem to be the best option.
Employ a Data Protection Officer to oversee your compliance. This person must have the relevant seniority, skill, independence and understanding to undertake this role.
Train staff; intensive training will be required as staff will need to learn how to deal with requests in relation to automated profiling, to be forgotten, to have data rectified, data portability, etc. Not all rights will always apply to us (but will apply to certain aspects of data we hold such as sensitive personal data) but staff will need to know when each right applies and when it does not so they can correctly respond to customers or invoke the correct process.
Finally, we should re-audit our processes, ideally in Jan 2018, to check how well we have implemented the new standards. This gives us Q1 to make any changes required.