Introduction to GDPR
Introduction to the General data Protection Regulation (GDPR) How startups and small businesses can become and remain compliant with the new regime
office@buckworthscompliance.com
a
Introduction The General Data Protection Regulation (“GDPR�) becomes law on 25 May 2018. It will come into force throughout the UK and EU and will apply to any business collecting personal data relating to EU citizens. The UK government has confirmed that it will adopt the standards set out in GDPR notwithstanding Brexit. The Data Protection Bill published in September 2017 will eventually implement GDPR into English law. This guide sets out to explain to startups and high growth businesses how to prepare and become compliant with GDPR.
GDPR impacts all businesses regardless of size and sector. The aim of the regulation is to ensure that the laws relating to the collection and use of personal data by businesses are suitable for the digital age. Data is the new currency. Companies such as Google provide many of their services effectively for free, on condition that users give them access to, and control over, the extraordinary quantity of data that they collect. GDPR seeks to empower individuals to take control of their data and dictate how and by whom it is processed. Data subjects will now have the right to require the deletion of their personal data as well as the right to move their data from one service provider to another. The Data Protection Bill sets out a new definition of personal data and updated standards for protecting that data. When it becomes law, the Data Protection Act 2018 will set out how certain concepts included in GDPR will be interpreted in the context of English law.
Is GDPR really something that I need to worry about?
Absolutely. Every business will be impacted in some way by GDPR. Every company will have to review how it handles personal data and make some changes to become compliant with the new regime. For many businesses, these changes will be relatively painless to put in place so long as adequate time and resources are set aside to focus on becoming compliant. For some businesses, more detailed work may be required.
Failure to comply with the new regime is simply not an option. Fines for non-compliance can be imposed of up to 4% of global annual turnover or â‚Ź20,000,000 whichever is greater. Of even greater significance for service providers is that a failure to be compliant with GDPR may result in customers moving provider due to the inherent risks of dealing with a non-compliant business. We have developed services specifically for startups and high growth businesses designed to get them compliant, maintain their compliance and demonstrate an ongoing emphasis on compliance. Further information on our services can be found at the end of this booklet.
www.buckworthscompliance.com
Introduction to GDPR
Contents Helpful definitions.....................................................................................................1 What is data protection?.........................................................................................2 The legal basis for processing personal data.................................................3 The importance of consent....................................................................................5 The rights of data subjects.....................................................................................7
The importance of accountability.................................................................... 10 Maintaining data security................................................................................... 12 How we can help?................................................................................................... 14 Deliverables............................................................................................................... 16 What should I do now?......................................................................................... 17
Helpful definitions
The most important terms are explained over the next pages. However, the following are some other terms that are referred to, but not explained in detail. Biometric data – personal data resulting from technical processing relating to physical, physio-logical or behavioural characteristics of an individual, which allow or confirm the unique identification of that individual. Examples of biometric data include facial images or finger prints.
Genetic data – personal data relating to the inherited or acquired genetic characteristics of an individual which gives unique information about the physiology or the health of that individual. Genetic data will often be derived from an analysis of a biological sample from the individual.
Health purposes – processing for the purposes of (i) preventative or occupational medicine, (ii) assessment of the working capacity of an employee, (iii) medical diagnosis, (iv) the provision of health or social care or treatment or (v) the management of health or social care systems or services in each case on the basis of EU or Member State law, or pursuant to a contract with a health professional and subject to the safeguards therein. Profiling – any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
office@buckworthscompliance.com
1
What is data protection? Data protection (also referred to as privacy) relates to how businesses collect and process personal data. It is relevant to all businesses no matter whether they work exclusively with other businesses (B2B), solely with consumers (B2C), or with a mixture of both. What is personal data?
Personal data is information that identifies (directly or indirectly) an individual. This includes their name, address and contact details as well as identification numbers, location data, identifiers used by websites, apps or software, mobile device identifiers, cookie strings and IP addresses. Importantly, business contact details are now included in the concept of personal data. GDPR distinguishes between sensitive data (technically known as “special categories of data”) and non-sensitive personal data. Sensitive data includes information revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data relating to his/ her physical or mental health, sex life or sexual orientation and details of criminal offences.
Processor or controller?
GDPR draws a distinction between a controller and a processor. A controller is a person who alone, or jointly with others, determines the purposes and means of processing. A processor is a person who processes personal data on behalf of a controller.
The obligations of a controller and processor relate to “processing” carried out by them or on their behalf. The concept of processing includes a broad spectrum of activities including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, combination, restriction, deletion and destruction of personal data.
GDPR introduces new concepts, the most important of which is that of processing that poses a high risk to the rights and freedoms of individuals. This concept is used as a gateway threshold to a number of enhanced compliance obligations. Posing a risk to individuals in this sense is taken to mean processing that could lead to physical, material or non-material damage. Processing that poses a high risk includes processing that may prevent an individual from exercising a right, or using a service, or where the processing is carried out systematically or on a large scale.
To whom does GDPR apply?
GDPR applies to all businesses established in the EU as well as to businesses established outside the EU but who offer goods or services to, or monitor the behaviour of, data subjects within the EU. The meaning of “offering goods and services” is very broad and includes targeting marketing at, or delivering goods to, individuals in the EU. A business carrying out processing activities outside the EU by a business operating within the EU is subject to GDPR.
2
www.buckworthscompliance.com
Introduction to GDPR
The legal basis for processing personal data GDPR sets out six principles which must be complied with in respect of all processing of personal data and a set of conditions, one of which must be applicable in order for any processing to be compliant. The six principles
All controllers and processors must ensure that they have policies and procedures in place to comply with each of the following six principles and that they do in fact comply with them:
1. Lawfulness, fairness and transparency – personal data must be processed lawfully, fairly and in a transparent manner.
2. Purpose – data must be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes. This means that you must explain to data subjects why you are collecting the data and what you intend to do with it. 3. Minimisation – personal data collected must be adequate, relevant and limited to what is necessary in relation to the purposes for which the data was collected. In other words, you must only collect the data that you actually need. In addition, you must only retain personal data where it is necessary to retain it.
4. Accuracy – personal data must be accurate and up to date. Inaccurate data should be corrected or deleted. 5. Storage – personal data must be kept for no longer than is necessary for the purposes for which the personal data are processed. 6. Integrity and confidentiality – data must be kept securely.
The processing conditions
In order to process personal data lawfully, a controller must satisfy at least one of the following processing conditions:
1. Consent – explicit affirmative consent has been given by the data subject in respect of processing for one or more specific purposes. 2. Contractual performance – it is necessary to process the personal data in order to perform a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
3. Legal obligation – the controller has a legal obligation under EU or national law to process the personal information.
4. Vital interests – to protect the vital interests of the data subject or another individual, for example in the case of a medical emergency.
office@buckworthscompliance.com
3
5. Public interest – the processing is justified in the public interest, or in the exercise of an official authority vested in the controller.
6. Legitimate interest – the processing is necessary for the purposes of a legitimate interest pursued by the controller or a third party, though this condition is invalid if the interests interfere with the fundamental rights and freedoms of the data subject, particularly where the data subject is a child.
Where sensitive personal data is being processed, at least one of the special data conditions must be satisfied. These conditions include consent, vital interests and public interest as set out above as well as: 1. Employment – the processing is necessary in the context of the employment, social security or social protection of the data subject.
2. Not for profit – the processing is carried out in pursuance of the legitimate activities (with appropriate safeguards) of a non-profit organisation with a political, philosophical, religious or trade union aim, on condition that the processing only relates to its members or former members or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed to third parties outside of the organisation without the consent of the data subjects. 3. Made public – the personal data was manifestly made public by the data subject.
4. Legal proceedings – the processing is required for the establishment, exercise or defence of legal claims.
5. Health purposes – the personal data is processed for health purposes subject to the processing taking place under the responsibility of a professional subject to the obligation of secrecy under EU or Member State law or rules established by national regulators. 6. Archiving and research – the processing is required for archiving in the public interest, scientific, historical or statistical research.
All businesses must develop a clear understanding of the conditions under which they process personal data. Many companies will be heavily reliant on securing the consent of the data subject, a key area in which GDPR significantly changes the goal posts.
To do:
(i) identify for each processing activity, the relevant condition(s) that are being relied upon and ensure that these grounds will still be applicable under GDPR; and (ii) ensure that each of the processing conditions is met for all types of processing.
4
www.buckworthscompliance.com
Introduction to GDPR
The importance of consent The most commonly used processing condition is that the data subject has given consent. However, GDPR imposes a significantly higher standard to be met in order for consent to be a legitimate processing condition. Consent is defined as “a freely given, specific, informed and unambiguous indication of the data subject’s wishes”. Consent must be given by a positive statement or by a clear affirmative action. Under GDPR there is a presumption that consent as a processing condition will not be valid unless a separate consent has been obtained for each processing activity. Omnibus consents (where the data subject clicks a box to agree to the entirety of a privacy policy) will no longer be valid. In order for consent to meet the requirements of GDPR, each of the following conditions must be met: 1. Clear and simple language – the request for consent must be accessible and in clear and simple language. This includes being in a language that the data subject understands – businesses must ensure that privacy policies targeted at customers in foreign countries are translated into a local language. 2. Separation – the request for consent must be clearly separated from any other topics. For example, most businesses ask customers to tick a box to state that they have read and agree to the privacy policy. This will no longer be sufficient.
3. Opt-in – the consent must be given through a clear act of opt-in. (Inactivity, silence, and pre-ticked boxes are not acceptable).
4. No omnibus consents – data controllers must not bundle consents. If there are multiple purposes for a type of processing, or consents for multiple types of processing, consent must be given to each one of them separately.
5. Genuine choice – consent is not valid if the data subject does not have any other genuine choice. This would include if they may be harmed by refusing to give consent or on withdrawing consent.
6. No imbalance of power – consent is not valid if there is a clear imbalance of power between the data subject and the data controller. This may be the case where the data subject is an employee of the data controller. 7. Not a condition – consent is not valid if it is a condition of performance of a contract.
8. Freedom to withdraw consent – individuals must be able to withdraw consent at any time, must be told about this right before giving consent and withdrawing consent must be as easy as giving it.
9. Explicit consent for sensitive data – must be given in respect of processing sensitive data or transferring personal data outside of the EU.
Many businesses currently relying on consent as a processing condition will need to review and change their approach to securing consent. Any new procedures must be in place (and data subjects must have given consent using the updated process) prior to May 2018. Where data subjects are not willing to give consent, or cannot be traced, processing may not be able to take place in respect of their personal data. Businesses will also need to build in procedures to allow data subjects to withdraw consent.
office@buckworthscompliance.com
5
What about marketing activities?
The ePrivacy Directive imposes additional requirements for marketing via phone, email and fax. Such marketing can only be done if the data subject has already given consent, or if there is already a relationship in effect in respect of which consent has been given and the marketing activities relate to similar products and services. Similarly the Privacy and Electronic Communications Regulations regulate how marketing activities must take place.
Protections for children
Additional provisions apply in respect of securing consent from children. For UK purposes, a child is a person below the age of 13. A child can give consent in respect of online services if it is authorised by a parent or guardian. The controller must make reasonable efforts to verify that consent is given or authorised by a parent or guardian, taking into consideration available technology. Privacy policies aimed at children must be very simple and clear. For many businesses, it is not practical to aim a privacy policy at children as it is not possible to provide the requisite information in a format that is sufficiently simple and clear for a child to understand.
Certain types of processing should not take place in respect of children. These include profiling and automated decision making. Conversely, the right to be forgotten applies very strongly to children.
To do:
(i) ensure that consent is active and does not rely on inactivity, pre-ticked boxes or silence (deemed consent); (ii) check that the supply of your services is not conditional on consent except to the consent necessary to supply the services; (iii) inform data subjects that they can withdraw consent and make sure that the method to do this is simple and accessible; and (iv) ensure that consent to processing is clear and separate from other matters.
6
www.buckworthscompliance.com
Introduction to GDPR
The rights of data subjects GDPR introduces two new rights for data subjects: the right to be forgotten and the right to move their data. These are in addition to three existing rights: the right to object to direct marketing, the right to request a copy of personal data held about them and the right to object to being subject to automated decision making. The right to object to direct marketing
Direct marketing is regulated by multiple pieces of legislation including GDPR, the Privacy in Electronic Communications Regulations and the ePrivacy Directive. Generally data subjects must consent to direct marketing.
If a data subject objects to the use of their personal data for direct marketing, the personal information must be entirely deleted from any mailing list to ensure that no further direct marketing, or profiling in respect of marketing, occurs. Any direct marketing email should contain an opt-out link allowing the recipient to easily and quickly opt out of receiving further emails. Services such as Mailchimp provide compliant easy-to-use services and are highly recommended as a tool for small businesses. Businesses should note that adding an email address to a marketing mailing list without prior consent will be a breach of GDPR even if an opt out is included in the email. Individuals must be notified of their right to object to direct marketing at the time they provide personal data.
To do:
(i) ensure that data subjects are told of their right to object to direct marketing at the point of first communication; (ii) make sure that there is an automated way for a data subject to object and to be removed from any marketing list; and (iii) put in place a clear process and policy on the right to object.
office@buckworthscompliance.com
7
The right to make a data subject access request
Data subjects have long had the right to request a copy of their personal data held by a business. The purpose of the request should be to allow the data subject to verify the lawfulness of the processing being carried out by the business.
GDPR imposes some additional significant and important changes. Businesses now have to provide requested information for free (at least on the first occasion). Businesses must respond to any request within 1 month though this period can be extended in writing if the request is complex, or if there are too many requests in place. Businesses are permitted to refuse, or charge a fee, in respect of a request that is manifestly unfounded, excessive, or where the request fails to adequately identify the precise data the data subject is requesting. Businesses can also withhold personal data if disclosure would adversely affect the rights and freedoms of others. GDPR requires that a data subject should be able to make a subject access request and get the response through the business’ online platform (where applicable). GDPR encourages businesses to implement tools allowing data subjects to be able to generate a copy of their data themselves through the platform.
To do:
(i) review customer service processes, procedures and training to ensure compliance with GDPR; (ii) develop template response letters; (iii) ensure that data can be provided in a compliant format; and (iv) check whether data (and any associated meta-data) can be exported.
The right to object to being subject to automated decisions having a legal or significant effect Data subjects are able to object to automated decision-making (also called profiling). Profiling is only permitted in the following circumstances: 1. 2. 3.
Explicit consent – where profiling is based on the explicit consent of the data subject, subject to suitable safeguards being in place, including the right to a human review of the decision. Contractual performance – where profiling is necessary for the performance of a contract with the data subject, subject to suitable safeguards being in place, including the right to a human review of the decision. Authorised by the EU or a Member State.
Additional restrictions apply to profiling in respect of children. Best practice is not to extend profiling to children.
To do:
(i) identify whether any profiling takes place in respect of personal data and if it does, check which condition is relied on; (ii) ensure that any profiling based on consent has explicit consent; and (iii) make sure that no profiling occurs in respect of children.
8
www.buckworthscompliance.com
Introduction to GDPR
The right to be forgotten
Also known as the right to erasure, data subjects are able to request the deletion or removal of personal data where there is no compelling reason for its continued processing, where they withdraw consent for processing or where the processing is otherwise unlawful. In parallel, individuals are able to restrict further processing of personal data meaning that data controllers may retain the personal data but not further process it.
To do:
(i) ensure that staff members and suppliers understand the importance of data erasure requests and comply with them; (ii) ensure that erasure requests are communicated to all processers of personal data acting on behalf of or with the authority of the controller; and (iii) put in place procedures to be followed in the event of receipt of an erasure request.
The right to data portability
This right is designed to allow individuals to move their personal data from one service provider to another in a convenient electronic format. The aim is to prevent service providers from effectively preventing data subjects from moving to another service provider by restricting their ability to transport data.
The right applies to personal data which (i) is processed by automated means (i.e. not to paper records) (ii) has been provided to the controller by the data subject and (iii) only where the condition for processing is consent, or as required in order to perform a contract or in preparation for a contract.
To do:
(i) review customer service processes, procedures and training to ensure compliance with GDPR; (ii) develop template response letters; (iii) ensure that data can be provided in a compliant format; (iv) check whether data (and any associated meta-data) can be exported; and (v) consider developing systems and functionality to allow data subjects to exercise their rights directly. A key focus of GDPR is protecting the rights of data subjects. The regime aims to encourage data subjects to pro-actively manage and protect their personal data. As such, the rights detailed in this section are of even greater importance than previously. Businesses should strive to ensure that these rights are set at the centre of compliance practices with the consequence that they will be able to demonstrate a high level of compliance with the spirit of GDPR.
office@buckworthscompliance.com
9
The importance of accountability GDPR introduces a new concept of accountability. Data controllers and processors now have an obligation to demonstrate compliance with all six principles, increasing the pressure to implement policies and document procedures that will eventually both ensure compliance and provide evidence of compliance. Demonstrating compliance
GDPR requires businesses to implement technical and organisational measures to demonstrate compliance with the regime. These measures may include:
1. Policies – maintaining data protection policies, which are communicated to staff and are regularly reviewed and updated. 2. Training – undertaking regular staff training.
3. Audits – carrying out internal audits at regular intervals to ensure that policies and procedures are complied with. 4. DPO – appointing a Data Protection Officer (DPO) to advise on aspects of compliance and to provide a point of contact for management and the ICO.
5. Pseudonymisation– applying technological measures to prevent a person identifying an individual from personal data stored by the business without a restricted key. 6. Transparency – ensuring all processes are transparent.
7. DPIA – carrying out a Data Protection Impact Assessment (DPIA) prior to the introduction of all new features and services.
Risk-based approach
GDPR puts the reduction of risk when processing personal data at the centre of the regime. The approach implies that data controllers and data processors must adopt tools to assess risk. Tools such as DPIA, privacy by design and the use of certification and codes of conduct provide a reliable and objective assessment of risk whilst the obligation to retain evidential documentation provides evidence of the steps taken to reduce risk.
The risk-based approach requires that additional measures to reduce risk are put in place when – if appropriate – specific risks are identified. Where there is a high risk to the rights and freedoms of data subjects, the DPO (if appointed) should be consulted on mitigating the risk, and where the high risk relates to the introduction of a new service, a DPIA should be undertaken.
10
www.buckworthscompliance.com
Introduction to GDPR
Pseudonymisation
Pseudonymisation is a process which transforms personal data so that it can no longer be attributed to an individual without access to additional information that is kept separately and securely. This is a safeguard, risk-reducing, data-protective measure and although the data is anonymous, this kind of data should be treated as personal data.
Data protection by design and by default
Under GDPR, data controllers have to implement appropriate technical and organisational measures in order to comply with the data protection principles, as well as safeguards to ensure data subject rights. Measures that are required to be implemented will vary depending on the business but could include data minimisation, pseudonymisation, limitations on the extent of processing, limitations on storage periods and accessibility. Failure to comply with privacy by design and default principles could result in the business being subject to a fine. However, if privacy by design and default principles are implemented, penalties in respect of any breach could be mitigated entirely, or at the very least reduced.
Data Protection Impact Assessments (DPIA)
Before any processing that may involve a high risk to the rights and freedoms of data subjects takes place, data controllers must assess any associated privacy risks and consider future measures that should be put in place to mitigate those risks. For that reason, DPIAs, should be used as a tool to identify the most effective way to comply with data protection obligations. If used at an early stage, a DPIA can identify and fix problems that could lead to significant fines, damages and costs to the business and/or data subjects.
To do:
(i) carry out an initial DPIA or mini-audit in good time prior to the implementation of GDPR; (ii) appoint a DPO or expert to provide guidance on GDPR; (iii) evaluate internal policies and reporting lines; (iv) ensure that a process is in place for regular (quarterly reviews) and training; and (v) Implement measures to ensure that proper records are kept evidencing compliance.
office@buckworthscompliance.com
11
Maintaining data security GDPR requires data controllers to put in place appropriate technical and organisational measures to protect their electronic systems. In the event of a breach, a data controller may be required to justify why they didn’t implement any appropriate measures. The scope of measures will depend on what is appropriate taking into account the nature of the business, the type of personal data being processed and the risk to data subjects of that personal data being compromised. Measures may include: 1. pseudonymisation and encryption of personal data;
2. taking steps to ensure the ongoing confidentiality, integrity, availability and resilience of the controller’s information technology systems; 3. restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident; and 4. implementing a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of the processing.
What must controllers do in the event of a breach?
In a change from the Data Protection Act 1998, GDPR imposes on controllers a mandatory obligation to notify the ICO without undue delay (where feasible within 72 hours) where a data breach occurs which relates to any type of personal data in circumstances where the breach could result in a risk to the rights and freedoms of any individual. In practice, almost any kind of breach where personal data is compromised is likely to meet this threshold.
Processors must notify their controllers of data breaches without undue delay where the processor considers that the breach results in a risk to the rights and freedoms of any individual. This will in most cases lead to the data controller having an obligation to make a report to the relevant supervisory authority. It is therefore important that agreements with data processors impose blanket obligations to report any data breaches promptly. A controller does not want a processor to apply the threshold incorrectly and elect not to notify the controller where the breach results in a risk to the rights of an individual.
In the event of a breach which is likely to result in a high risk to the rights and freedoms of any individual, controllers must notify data subjects publicly (unless it would involve a disproportionate effort) without undue delay. An exemption to this obligation applies where the breached data has been securely encrypted and the key has not been compromised. Controllers must also notify data subjects if the supervisory authority requires them to do so. GDPR emphasises the need for both controllers and processors to have in place an effective breach management plan. This must be tested regularly and records must be kept of the outcomes of such tests. Businesses may consider putting in place codes of conduct to set out what staff should do in the event of a breach.
12
www.buckworthscompliance.com
Introduction to GDPR
To do:
(i) implement a data breach policy and carry out staff training to ensure compliance with the policy; (ii) test and review the policy and procedures regularly; (iii) implement technical and organisational measures to render data unintelligible in the case of unauthorised access; (iv) evaluate insurance policies; and (v) put in place data protection clauses which require suppliers to immediately notify the controller of any data breach.
office@buckworthscompliance.com
13
How can we help? Compliance with GDPR is an ongoing process. Once a business has become compliant, it must continue to monitor, adapt and update its processes to demonstrate that it has remained compliant. Buckworths Compliance provides services to bring a business to a state of compliance and then to assist it with maintaining compliance thereafter. Becoming compliant
Scoping report – We work with management to understand the nature of the business, what personal data it collects and what it does with the personal data. We also identify what documentation is already in place in relation to data protection compliance. This helps us to understand where the main touchpoints for regulation are and what complexities there may be in bringing the business to a state of compliance.
Data Protection Impact Assessment (DPIA) – We undertake a data protection impact assessment (essentially an audit) which can be carried out either during the startup phase (for new businesses), or as part of becoming compliant with GDPR (for existing businesses). As part of the assessment, we review the way that the business operates with a particular focus on: 1.
what personal data it collects;
3.
what technological and organisational measures are in place with regards to the personal data;
2. 4. 5. 6. 7. 8. 9.
how it collects and stores the personal data; how the data is used;
the legal condition(s) for processing;
where consent is a condition for processing, how consent is secured and whether it is valid under GDPR; how and to whom any data is disclosed;
what contractual provisions are in place with processors and recipients of personal data; and
what policies and procedures are in place to govern matters such as data breaches, data subject access requests, requests for data deletion and requests relating to the portability of data.
Implementation – On completion of the DPIA, Buckworths Compliance provides a report summarising the information collected and providing recommendations in three areas: legal, compliance and technical. This report is the starting point for evidencing steps taken to become compliant. Buckworths Compliance implements the compliance recommendations (which may include putting in place or amending policies and procedures) and Buckworths (our sister law firm) implements the legal recommendations (which may include amendments to the privacy policy and amending data protection clauses in supplier agreements). We can assist your tech team, or can recommend highly qualified third parties to help, with implementation of any technical recommendations.
14
www.buckworthscompliance.com
Introduction to GDPR
Maintaining compliance
Once the recommendations in the DPIA have been implemented, the business should be compliant, or on its way to be compliant, with GDPR. However, maintaining compliance is an ongoing process.
DPO – many businesses will be required to appoint a data protection officer (DPO). However, those that are not required to do so will want to have access to regular advice and to carry out regular compliance health checks to ensure that the business remains compliant and that the business can demonstrate compliance to the ICO. Buckworths Compliance provides an outsourced DPO service as well as a lighter touch quarterly review service. Both services are designed to assist a business in demonstrating compliance with GDPR.
Training – a key obligation of GDPR is to ensure that all staff are appropriately trained in GDPR and its implications on your business. Buckworths Compliance provides generic and tailored training for businesses to ensure that all staff know and understand their obligations. This takes the form of face to face training, videos and online training. DPIA for new services – every time that a new service is introduced, an analysis must be undertaken to identify whether the service represents a high risk to the rights of data subjects. If (as is often the case) it does, a DPIA will need to be undertaken to identify the risks involved and recommend and implement measures to minimise the risk. Buckworths Compliance can carry out these additional DPIAs for you.
Our services
The services a business requires is dependent on the complexity of its data protection position. Many businesses will fall into our category of “simple business”. This means that the data they collect, the ways that the data is used and the protections in place in respect of such data do not raise a high risk to the rights and freedoms of data subjects, and significant changes are not required for the business to become compliant with GDPR. “Complex businesses” are those where the data collected contains sensitive personal data, the uses of data may raise high risk to the rights and freedom of data subjects, or significant work is required to bring the business into compliance with GDPR.
office@buckworthscompliance.com
15
Deliverables Most businesses will need to put in place the below documents in order to demonstrate compliance with GDPR. Different documents will have varying degrees of importance depending on the nature of the business. Data Protection Impact Assessment – this is essentially an audit of your business through which we seek to understand what personal data you collect, the basis on which you collect and use it and what you then do with the personal data. This is the foundation of your data protection compliance. Privacy Policy – also called a “privacy statement”, this is the public document setting out what personal data you collect, what you do with it and the rights of data subjects. Where consent is a condition of processing, your customers will confirm their consent to each type of processing within this document. Data subject access request policy – where a data subject makes a request for a copy of the personal data held about them, you have a legal obligation to provide it. This policy sets out what data you must (and can) provide, how you must provide it and the procedure for responding to data subject access requests.
Data retention policy – data must be kept up-to-date and accurate. You must only keep personal data for so long as is necessary for the purpose for which the data was collected. This policy sets out the rules relating to retention of personal data and will be unique to your business. Policy on withdrawal of consent – data subjects must be able to withdraw consent for processing of personal data. If consent is withdrawn, you must (in most circumstances) stop processing that data. This policy sets out what to do, and how to put into effect a withdrawal of consent.
Right to be forgotten policy – this policy sets out how you handle a data erasure request, in what circumstances you must delete personal data and in what circumstances you may be required (or may need to) retain it. Mailing list procedures – it is vital that businesses carry out direct marketing in compliance with the GDPR regime. Having a clear compliant procedure in place is a vital step to becoming compliant.
Profiling policy – a policy that sets out in what circumstances automated decision making occurs and the process that is to be followed in the event that someone indicates that they do not consent to profiling. This policy should also contain clarifications on your position with regards to profiling of data subjects who are children. Data portability policy – data subjects now have the right to move their personal data from one service provider to another.
Data breach policy – this policy is hugely important as it sets out what happens in the event of a data breach. There are strict timelines during which you must notify the regulator and make a public statement about the breach to data subjects. Standard data protection clauses – these clauses are compliant clauses that should be implemented into all processing agreements with service providers. You can be liable if your processers do not comply with the GDPR regime in respect of personal data in respect of which you are controller.
Record of staff training – getting all your staff trained up on GDPR is important. However, you also want to be able to demonstrate that they have been trained. Do not forget the training record.
16
www.buckworthscompliance.com
Introduction to GDPR
What should I do now? The below is a checklist designed to help you get ready for GDPR. Compliance with GDPR requires planning, an understanding of the data you collect and the conditions under which you process it. Being a startup is not a get-out-of-jail card: GDPR applies to all businesses no matter their size. 1. Contact us to have an initial chat about your business, what steps you may need to take to get compliant with GDPR and how we can help you.
2. Work with us to carry out a scoping report to identify whether you are a “simple business” or a “complex business” and to get an idea of where potential issues might be with regards to compliance with GDPR.
3. Get us to carry out a DPIA to understand in detail what personal data you collect and what you do with it. This document is vital as the foundation document to demonstrate compliance with GDPR. If you are a simple business, this process should be relatively straight forward. If you are a complex business, it may be more complicated. However, in both cases, the outcome will be a set of recommendations to implement to make your business GDPR compliant. 4. Buckworths (www.buckworths.com) will work with you to implement the legal recommendations. This may include drafting or amending your privacy policy, tweaking your terms of business / customer contracts and amending agreements with your processers.
5. We will implement compliance recommendations. This may involve us implementing procedures and putting in place policies required to demonstrate compliance. These policies and procedures will also help you to ensure that you behave in a way that is compliant with GDPR. A comprehensive list of these policies is included on the preceding page.
6. We will help your tech wizards implement any technological changes. There may be some managed services that you can put in place to help meet some of the technical recommendations. We can provide recommendations of these and help you to decide what would be appropriate
7. Training your staff is vital if your business is to be compliant with GDPR. We provide fun, interactive and accessible workshops for staff. We can tailor training to the needs of your business and your staff. We provide you with a training record which helps you demonstrate compliance with the regime. Sign up to training and get ahead of the curve! 8. Carry out regular reviews of your data protection practices. This is crucial, as is keeping records of these reviews. We provide a subscription service by which we can provide time and cost-effective monthly or quarterly reviews as well as assistance in the case of data breaches or other issues with regards to data protection compliance.
office@buckworthscompliance.com
17
office@buckworthscompliance.com | www.buckworthscompliance.com