Are you GDPR ready? Take these five vital actions towards compliance
The General Data Protection Act (GDPR) enforces new standards for data protection across Europe from 25th May 2018 onwards. Individuals will have enhanced rights regarding their personal data. Organisations collecting and using personal data will have to be more transparent in the way they do so. Senior management will be held accountable for data privacy within their organisations. Small businesses have to adjust to achieve GDPR compliance.
The introduction of the GDPR is an opportunity for your business to hone its information security policies. By ensuring the personal data given to you by customers and employees is processed securely, you can build trust and safeguard your reputation. Additionally, steep fines can be imposed for non-compliance.
This article is published as an introductory resource. It does not constitute legal advice. Internetwork’s five fundamental steps for small businesses preparing for the GDPR are as follows:
1. Perform an information audit
Your first step towards GDPR compliance is to find out exactly what personal data you process. Processing personal data involves the collection, storage, usage, adaption or distribution of personally identifiable information.
Personal data is defined as any information that can be used to identify an individual, including name, address and contact details. The GDPR changes this definition to include, among other types of personally identifiable information, IP addresses, usernames and passwords, DNA samples, ID numbers and fingerprints.
An information audit involves the examination of all the data that flows into and out of your business. Take a note of any personal data involved, whether it be employee bank details, customer addresses or clients email addresses.
The Information Commissioner’s Office (ICO) will enforce the GDPR in the UK. The ICO has placed a lot of emphasis on documentation. To comply with the GDPR you will need to keep records of the findings of your data audit.
You should note each type of personal data you identify within your business, along with your purposes for processing it, where it is stored and how it is protected. The below template is a good starting point for this.
By mapping the flow of data throughout your business you can begin to address any data privacy weaknesses you may have. Consider whether you are processing any personal data unnecessarily or holding data that is no longer relevant.
2. Understand your role and your relationships
As part of your data audit, you will identify any third-parties with whom you share personal data. Certain third-party relationships are defined by the ICO as data controller-data processor relationships.
A data controller is ultimately responsible for deciding the manner in which the personal data will be collected, used and stored. A data processor collects, uses or stores the personal data on behalf of the data controller, only acting on their instruction.
For instance, if your email is stored in the cloud, your cloud service provider acts as a data processor on your behalf. You are the data controller in this scenario.
Similarly, if you use the services of a marketing company, you are the data controller in the relationship. You instruct the marketing company to use your customers’ contact details to advertise your services to them. Therefore, they are the data processor, processing personal data under your instruction.
In a situation where an organisation contacts you and gives you their customer’s personal details, requesting that you store or use this on their behalf, you operate as the processor.
Sub-processors can also be involved. For example, if a controller has shared customer details with you, and you personalise material under their instruction, you may use another organisation to distribute the personalised material. In this circumstance, you are still the processor, with the distributing organisation acting as a sub-processor.
Contracts must be established in all controller-processor-sub-processor relationships. These contracts should contain the instructions from the data controller to the data processor or the data processor to the sub-processor respectively. The ICO has released more information regarding contracts between data controllers and data processors.
3. Establish a lawful basis
Under the GDPR, you will require a lawful basis to process each type of personal data you identify in your data audit. Consent has perhaps been the most discussed topic in the lead up to the enforcement of the GDPR. However, much of the hype surrounding the need for consent has been blown out of proportion.
“The rules around consent only apply if you are relying on consent as your basis to process personal data. So, let’s be clear. Consent is one way to comply with the GDPR, but it’s not the only way.” - Elizabeth Denham (Information Commissioner)
The ICO has set out the six options available for legal basis to process personal data. Consent is just one of these options. For a small business, legitimate interest, contract and consent are likely to be the most common lawful basis selected:
Legitimate interests: When processing the data will create a commercial or social benefit which will outweigh any risk to the individual’s privacy.
Contract: When a contract obligation is fulfilled by processing personal data.
Consent: When an individual has given an organisation explicit consent to process their data.
The other three lawful bases available are as follows:
Legal obligation: When the processing of data is a legal requirement.
Vital interests: When the processing is necessary to protect someone’s life.
Public task: When the processing is necessary to perform a task which is in the public interest, including for public health reasons.
One (and only one) lawful basis must be selected for each type of processing you undertake. To determine the most appropriate lawful basis, you will need to examine the nature of the data, your reason for the processing and your relationship with the individual involved. The ICO has designed an interactive tool to help establish your lawful basis.
Again, documentation is key. Records of the lawful basis to process each type of personal data you hold should be kept, alongside justifications for this.
If ‘contract’ is selected, you should document your decision that processing is required for fulfilling your contract obligations and ensure that you outline your purposes and lawful basis in your privacy notice. Privacy documents are discussed in more detail below.
If ‘consent’ is selected, you should keep records that include an identification of who consented, the data they submitted, a timestamp or date, relevant privacy notices and the data-capture form used at the time. The ICO recommend reviewing consents on an ongoing basis. You need to refresh consent whenever your purposes for processing change.
If ‘legitimate interest’ is selected, a Legitimate Interest Assessment (LIA) must be undertaken. Legitimate interests rely on projected benefits of processing the personal data outweighing the risk to an individual’s privacy.
An LIA involves three interlinked tests. First, is there a definite purpose for processing the data? Second, is the processing absolutely necessary to achieve that purpose, or could it be achieved in another, less intrusive manner? And thirdly, will a reasonable individual expect their data to be processed in such a way? The ICO has made an LIA template available.
The lawful basis chosen also has a bearing upon what rights an individual has regarding their personal data. In general, processing on the basis of consent will strengthen an individual’s rights, particularly their rights to object and to be forgotten.
4. Update privacy documents
A key component of the GDPR is transparency. Individuals have the right to be informed about the processing of their personal data. No matter what lawful basis you select as most appropriate, and no matter how you justify it, the individual involved should be given as much information regarding the processing as possible.
Information provided should include what data you are processing, your reasons for this, your lawful basis, how long you will keep the data for and a summary of their rights regarding the data. The information should be set out clearly, in easy-to-understand language so that individuals have as much clarity as possible. Examples of well- and not-so-well-written privacy notices can be found on the ICO’s online guide to the GDPR.
Transparency regarding data processing has been discussed heavily following recent revelations involving Cambridge Analytica and Facebook. Under the GDPR, individuals must be fully alerted to your methods, purposes and lawful bases of processing their personal data, as well as anyone you plan to share it with.
Privacy notices should be provided at the time of the collection of the personal data, preferably in the same form as the data will be collected. For instance, if the data is collected by a paper questionnaire, it should be accompanied by a printed privacy notice. Privacy notices should also be made available on your website so that they can be accessed easily, at any time, by individuals.
5. Strengthen your cybersecurity
The GDPR will introduce steep fines for poor responses to data breaches and infringements on individual’s privacy rights. The GDPR fines can be up to 4% of worldwide turnover or €20 million (roughly £17.5 million), whichever value is higher.
Data breaches suspected to have negative effects on individuals must be reported to the ICO within 72 hours of an organisation discovering the breach. Any individuals who are likely to suffer negative effects from the breach should be notified too.
The GDPR fines, combined with the damage to reputation, mean a data breach has the potential to severely disrupt your business. It is therefore vital that you improve the security of your IT network. To effectively prepare for the GDPR, you must strengthen your IT security.
Staff can inadvertently cause data breaches. Investing in training is the most important step you can take to protect your IT network and the personal data you store from cyberattacks. Malicious links, fraudulent emails and carelessness can all result in data breaches. A clued-up employee can greatly enhance your data privacy.
The recent data breach at Hudson’s Bay may have affected five million of their customers, including Saks Fifth Avenue shoppers. The breach was caused by hackers sending well-researched phishing emails to staff members, seemingly from their colleagues, encouraging them to click on a malicious attachment. The amount of information available online is making it easier for hackers to masquerade as genuine co-workers. Training staff to spot phishing scams such as this is a key step in avoiding a data breach.
Ensuring that your technology is kept up-to-date, enforcing strong password policies and establishing a business continuity plan are also important actions to take. Further information on each of these cybersecurity measures can be found in Internetwork’s five essential steps to improve your cybersecurity.
How to prepare effectively for the GDPR
In preparation for the GDPR, small businesses need to identify the personal data they process and document their legal basis for that processing. Contracts with any third-parties involved must be drawn up once a controller-processor relationship has been established. Individuals’ enhanced privacy rights must be acknowledged and updated privacy notices should fully inform them about how and why their data is being used.
Alongside accountability, documentation and transparency, the GDPR encourages a privacy by design approach. This is an ongoing commitment to developing processes, products and systems with data privacy in mind from the very beginning.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.