GDPR-weariness has flourished after the frenetic preparations in the run-up to 25th May. However, GDPR isn’t about quick fixes and compliance doesn’t stop after the sparkly new privacy notice is published, a training session is run, and internal policies written.
As Sara Howers, DPO at Simply Business says, “Like many organisations there was a little bit of a last minute rush to finalise some items, and it’s great now that we’re out the other side of May 25th to be able to start to review much of what was done. In particular the process documents, to ensure that what was written to comply with GDPR in principle, is actually feasible in practice, within the day to day environment. As everyone says May 25th 2018 was just the start of this journey for us and for our customers.”
Here are 10 GDPR survival tips, (in no order of importance, and certainly not professing to cover everything that needs to be considered).
1. PERSONAL DATA BREACHES – BE PREPARED
As the recent Typeform breach teaches us, a hack into one back-up system can have a huge impact. Acting as a ‘processor’ for hundreds of organisations in the UK and globally, Typeform’s breach quickly became an issue for many controllers.
Having a data breach plan is crucial in ensuring you can meet the requirement to notify a supervisory authority within 72-hours if there is a risk to individuals’ privacy. Efficient, quick assessment of what’s happened and understanding how to assess the risk is clearly a challenge, as too is effectively notifying customers if you need to. A customer notification template on standby (which can be adapted to specific circumstances) can mitigate against a rushed, un-reassuring notification with adverse reputational consequences.
Head of Data Protection at News UK, Michael Bond, “While there is no substitute for experience, the old adage rings true, ‘fail to prepare (for a breach) and prepare to fail’”. Here are Michael’s top data breach tips:
- Test your response posture regularly, at least once a year via a desktop exercise with your senior leadership. It raises awareness and demonstrates commitment to protecting customers and employees personal data;
- Make sure that you have a centralised point of escalation for all staff (and customers via your privacy notice) to report incidents – internally, this should be supported by regular awareness activities;
- Pull together a core team of SMEs from Tech, Security, Legal and others who can triage incidents and facilitate effective escalation to your Exec, notification to the ICO and communications to customers, if required; and
- Get great external counsel, forensics, PR teams on retainer. They’re not cheap but neither is a fine or reputational damage.
The importance of staff training simply can’t be underestimated. Staff that don’t understand the key principles of data protection put organisations at risk. Marketing teams that don’t understand how GDPR and ePrivacy interact risk breaching the rules. Employees who don’t know what rights customers have, risk missing an access or erasure request. Regular and appropriate training can also embed in the minds of staff how to avoid and recognise breaches. As we are always told, most data breaches come down to human error.
The ICO has clearly said that when considering contraventions of the rules and potential monetary penalties, it will take into account the level of training staff receive. If the ICO comes knocking, you are highly likely to be asked to provide copies of the training procedures you have in place.
Neil Paterson, Senior Manager Data Protection and Privacy for TUI Group, “We can’t expect everyone to be data protection experts, but training is important to provide a high level of understanding that data protection and privacy compliance is important for us.”
3. PROCESSOR CONTRACTS
One of the biggest headaches for many organisations in the run up to GDPR enforcement was identifying processors and trying to ensure adequate contracts were in place to cover the strict obligations under Article 28. This has proved particularly tricky for controllers where large-scale processors have expected them to sign up to their terms. This is certainly an area where the “compliance journey” rings very true – this will be on on-going process.
4. POLICIES, PROCEDURES, PROCESSES
Most organisations will have focused on their GDPR compliant Privacy Notices, and as your most public-facing document it was important to get it right (albeit I suspect there will be some tweaking taking place on these notices for months to come). But this is just the start of updating /creating the documents you should have in place.
TUI’s Neil Paterson stresses; “It is important that the data protection principles are transformed into practical rules and processes and template solutions for standard situations. Where appropriate, automate data protection and privacy compliance.”
Have you got a data protection policy, an information security policy, a DPIA procedure, an international transfer procedure, a marketing policy for ensuring compliance with PECR, robust processes for handing individual rights and a data retention policy? And, the list for bigger organisations is unlikely to end there.
As Sara Howers points out, even if you have implemented a range of new/updated policies, processes and procedures, do the stand up when applied in practice?
5. UPHOLDING RIGHTS
Many could be mistaken for thinking individuals didn’t have any privacy rights before GDPR, but in fact they’re nothing new. They’ve been enhanced, not created, by the Regulation.
Understanding what individuals’ rights are (back to adequate staff training), when they apply, what the requirements are and how to ensure they are effectively upheld can go a long way to preventing unnecessary escalation of complaints.
Simon Blanchard of Opt-4 adds; “You should think about individual rights in several ways. First you need to have a well-defined and tested process to manage information rights – subject access requests, right to object, erasure requests, and so on. But you also need to think hard about your processing, to make sure that the rights of the individual are properly considered across any processing your organisation does which might impact on those rights. No only marketing, but other areas such as the processing of employee data.”
6. DATA RETENTION
We’ve all read Article 5.1(e) and understand the importance of storage limitation; not retaining data for longer that required for the purpose(s). Even if you have dutifully written your data retention policy, practically ensuring there is responsibility for implementing this across (in many cases) multiple departments, is likely to represent an arduous task. It shouldn’t be pushed back and overlooked. In the event of a breach, personal data you hold with no lawful purpose represents an even bigger and avoidable risk.
Furthermore, Robert Bond of Bristows LLP says, “It is just as important to develop a policy around data destruction and disposal as it is to put in place a detailed data retention policy. Whilst the GDPR requires that personal data is kept no longer than necessary, it is important to recognise that other laws and regulations require some personal data to be kept for prescribed periods.”
And Simon Blanchard adds, “Some businesses use a data retention schedule – typically a spreadsheet which lists the appropriate retention period against processing task.’This is good governance and a useful reference for your staff as well as helping to meet the evidence requirements under GDPR.”
7. PRIVACY BY DESIGN
The principle of Privacy by Design is nothing new, but Article 25 embeds it in data protection law. Organisations are required to ensure appropriate technical and organisational measures (TOMs) are in place to implement data protection principles and safeguard individual rights. Data protection should be integrated into all personal data processing activities and business practices, at the point of inception and throughout the lifecycle.
A key tool for implementing a Privacy by Design approach is Data Protection Impact Assessments (DPIAs – often still referred to as Privacy Impact Assessments). See our Guide to DPIAS.
Simon Blanchard comments, “Privacy by Design is often thought of as a concept for the IT team. You have to make sure your IT systems have appropriate security and privacy controls in place – which for some means a change of approach for new system design and an upgrade for existing systems. But for many businesses a lot of everyday processing takes place by individuals outside the technology stack an on Excel spreadsheet or other files. Sounds familiar? So I see PbD as broader than an IT team responsibility, it should be organisational. PbD is a great concept to engage your senior management team – privacy must be ‘baked in’ across the whole organisation. Which involves reviewing all your processing to make sure risks are mitigated and appropriate compliance controls are in place.”
8. LIAs – THE BALANCE OF INTERESTS
So, you’ve assessed your lawful bases for different processing tasks, identified where you are relying on Legitimate Interests, documented this and informed individuals of what these interests are in your sparkly new Privacy Notice, but have you completed all the necessary Legitimate Interests Assessments (LIAs)?
This is another area which is in danger of being overlooked. Remember, Legitimate Interests can be challenged, and you may need to publicly provide the detail of how you balanced your business interests with the interests and privacy rights and freedoms of individuals. See our industry-led Legitimate Interests Guidance (this includes a sample LIA template and an example of a completed template.
Data Consultant, advisor and NED , Charles Ping, “In the run up to May 25th many data protection professionals bemoaned the apparent ignorance of many companies to Legitimate Interest as they favoured Consent. However just as LI can be challenged it can also be viewed through rose tinted spectacles. It’s worth understanding if any suppliers or partners are relying on LI and taking a view yourself.”
9. INTERNATIONAL TRANSFERS
Again, guaranteeing that any personal data transferred outside the EEA is adequately protected is nothing new, organisations have grappled with model clauses and binding corporate rules for many years. GDPR has just further highlighted the requirements and in some cases made some organisations take note, when they were perhaps hitherto unaware, they were potentially breaching the rules.
Furthermore, if you are using a processor outside the EEA, you need to not only meet the requirements for safeguarding data transferred outside the EEA but Article 28 to boot.
When it comes to transferring data to the US, for the time being, ‘adequacy’ can be achieved if a US organisation is signed up to the EU-US Privacy Shield. But this is facing a serious challenge and could be overturned. Further down the line, there is the big Brexit question, if Britain leaves the EU will it be awarded ‘adequacy’ status?
Last, but by no means least, “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”. [Article 5.2]
Of the 99 GDPR articles, 39 require evidence to demonstrate compliance. Charles Ping advises, “This means ensuring that your supply chain for data is accountable and this particularly applies to data from partners and suppliers. We’ve all seen some perhaps “ambitious” interpretations of Legitimate Interest and there are a number of vendors collecting cookie data for third party targeting that appear to have a rudimentary understanding of the standards of consent or the specific rejection of prechecked boxes.”
And, dare I mentioned the dreaded Record of Processing Activities? Even if this has been completed it will be an ever-evolving, fluid and undoubtedly substantial document to maintain.
Even for smaller organisations who do not fall under the requirement to have an RPA, there is still a need to ensure you can clearly demonstrate and provide evidence that you take privacy seriously.
Overall, the overriding GDPR principle of Transparency is the absolute key to any organisation’s compliance. Ensuring privacy notices are clear, easy to understand and informative is crucial. The ICO would expect any organisation to ensure it can demonstrate it has informed individuals of how it uses their personal data. There should be no surprises.
Philippa Donn, July 2018
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.