Pre-GDPR Audit – Check You’re Compliant
With the 25th May implementation date for the General Data Protection Regulation looming at the end of this week, our handy guide to making good use of the final few days will help you to ensure compliance before the deadline. Regulatory change can be daunting, and both the sheer number of new rules and the much talked about consequences of getting it wrong can be intimidating.
There’s no one ‘right way’ to go about preparing for the GDPR, and whether arrangements have been undertaken entirely in-house, or external experts have been consulted, with the implementation due at the end of this week, this is a good time to reflect on the changes that have been made, and ensure you’re in the best place to meet the unique challenges of GDPR.
Policy and Procedure Audit
Revisit policies and procedures that have been created over the run-up. Firms need to ensure they have a process map in place, and are clear about how each type of data is processed for each operation. At a minimum, firms will need a Data Protection Policy which thoroughly covers the GDPR, including policy statements, the Principles of the GDPR, the eight Rights, what data is held and how it will be processed in compliance with the Regulation, how long the data is retained for, how breaches are to be dealt with, how subject access requests will be dealt with, reference to security provisions, data transfer arrangements, and whether a Data Protection Officer is in place, alongside particulars of their role and contact details if they are. It’s a good idea to have separate, detailed documents for data retention, data protection impact assessments and breach notification, and if the number of requests is likely to be sufficient, for subject access requests.
The immediate run-up to GDPR is a great time to refresh your employees’ training. Current procedures may have been amended, or re-written altogether, or there may have been only minor changes to how staff will need to work in future, or to the documents they work with. In any case, it’s a great opportunity to remind your staff what the GDPR is all about, how it will affect them, and what they can do to ensure the company remains compliant with the new rules.
You hold and process employee data, so how staff data is dealt with should be covered by your GDPR policies and procedures. Your staff will need to be issued with a Privacy Notice, which should set out how you process their data, the purpose for which you process their data, their rights, and the duration that you keep each type of data for. You also need to consider how you will deal with their data if the employee leaves the firm or their contract is terminated, and how reference requests will be dealt with. Employers should carefully consider the lawful basis for processing employees’ personal data – guidance from the Article 29 Working Party suggests that consent cannot be considered to have been ‘freely given’ in relationships that have a potential power imbalance, and employer/employee is given as an example.
Data Protection Impact Assessments
If you haven’t put together a process for undertaking Data Protection Impact Assessments, now is the time to do it. Under GDPR, they are mandatory in certain circumstances; failure to undertake one adequately, when required, leaves firms liable to fines of up to €10 million, or 2% of global annual turnover, whichever is higher. Where operations make a DPIA necessary, they should be carried out prior to the processing of data, and ideally as early as possible in the design of the operation. How the DPIA is undertaken will depend on the firm and the type of operation in question – there are a variety of possible templates and frameworks for DPIAs – however, the Article 29 Working Party have set out a checklist of criteria for an acceptable DPIA, and it’s a good idea to ensure that whatever framework you use is covered.
Whatever the size of the firm, it’s important that changes to current practice are communicated within the company. Ideally, staff will already have been trained on the changes that will affect their tasks, but it’s a good idea that the company as a whole is made aware of the underlying reasons for the changes. Not only does this add context to the new ways of working, it can help staff to understand the best interests of the data subject, and a fuller understanding of the GDPR can help to embed best practice at this early stage.
It’s also important to remember that GDPR preparation continues after the 25th May implementation date. Firms need to ensure they are up-to-date with any information published by the Information Commissioner’s Office, with any Codes of Conduct published in relation to the GDPR, and that policies and procedures work well, and are amended in light of any issues that arise. We offer post-GDPR audits that ensure you remain compliant with the new rules. Contact Us or visit our Services page for further information, or to book your Audit.