In the second article of our series on the new General Data Protection Regulation (GDPR), Neil Adams, Compliance Officer here at Eduserv, explains the first five steps to compliance that organisations should be prioritising now.
Right now, you’ll be hearing from a variety of sources about the many things that you need to do to prepare for GDPR. In fact, so much so that it can be difficult to know where to start. Based on our experience of preparing for compliance with GDPR, we’ve identified the five areas that we recommend you prioritise first.
1. Dealing with consent
First and foremost, organisations need to deal with the issue of consent that needs to be provided by customers, employees, citizens, donors to charities and so on. The regulation stipulates that all these people must give their explicit and “informed” consent for their data to be processed. “Informed consent” means the individual must be made aware of how their information is protected, what it’s used for, and what the risks are.
It’s a very pressing issue because this doesn’t just apply to current or future data. Organisations are going to have to audit all their legacy data to find out where it all is, identify where consent was granted correctly, and then delete records where it wasn’t or where new consent can’t be obtained. This is a huge data cleansing and consolidation task.
There are many aspects in the detail of the GDPR that make the matter more complicated. For example, GDPR states that consent has to be specific, informed, unambiguous and freely given. Among other things, “freely given” means that individuals cannot be chased or unduly pressed for their consent. Much rigour needs to be applied to this process because records also need to be kept to evidence that consents have been properly secured.
Many organisations, including local authorities, will also need to consider the position of minors. Children under the age of 16 cannot give consent. It has to be given on their behalf by someone with parental authority. If organisations do hold data on minors they will have to make reasonable enquiries to check the validity of the person giving the consent for the child.
There are also many issues with what is categorised as ‘sensitive personal data’, which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership. It also covers the processing of genetic data, biometric data, health data and data relating to sex life or sexual orientation. Organisations need explicit and specific consent for the exact purpose or purposes for which any of this sensitive personal data will be used.
Overall, with all these elements to consider, it’s clear that the issue of consent is the most labour intensive element of GDPR. As such, it should be your starting point. The good news is that if you go through the process correctly, most of the additional actions you need to take to comply with GDPR – as outlined below – should follow more naturally.
This is also a very important area to tackle early. This is mainly because it’s one of the most obvious areas that the Information Commissioner’s Office (ICO) will be able to scrutinise and hold you accountable for. When investigations do happen, organisations will also need audit trails to prove they have fully upheld the policy in the case of each data subject.
Another issue that organisations need to recognise is that the systems they use to protect personal information are likely to be designed and controlled by their service providers. This means they also need to be careful about making any policy commitments until they’re sure that their service provider has the systems and processes to deliver them.
3. Upholding the right to be forgotten
Another significant element of GDPR is that people have more power to withdraw their consent and get their data amended or deleted. In other words, they have the “right to be forgotten“. As already mentioned above, if organisations have cleansed and consolidated their data in order to manage consent better, this task will be easier.
There is a complication, however, because organisations will need to check that the IT systems they use will actually allow this to happen. At Eduserv, we’ve found through our own GDPR compliance activity that some leading solutions don’t currently allow for an individual record to be located and amended or deleted. With this in mind, organisations will need to make sure their IT systems will support GDPR. This could help avoid having to make distress purchases when it gets closer to May 2018. They should also start to put pressure on their existing solution providers to supply GDPR compliant solutions by including a “right to be forgotten” facility in future upgrades.
4. Meeting subject access requests
Another key part of GDPR is the right it gives individuals to make a subject access request at any time and get a response within 72 hours. Again, this task will be made considerably easier if you have gone through a process of cleansing, deleting and consolidating data. You’ll also need to make data management processes more efficient and ideally automate the subject access request response process as far as possible. If you don’t get this right, there is risk of considerable financial penalty. If not handled efficiently access requests could also prove to be very time consuming and a drain on your overall productivity.
5. Legitimate data processing and the pseudonymisation and anonymisation of data
When organisations are going through their data cleansing process, they will find that some of those records can’t be deleted even if the subject has asked to ‘be forgotten’. This might be for reasons of financial regulatory compliance, or for a number of other reasons where organisations can show they have “legitimate” reason for retaining and processing the data.
This is another very important area, firstly because organisations will need to be very clear on what those legitimate reasons are and may need specialist help defining and confirming them. Secondly, GDPR recommends that organisations will need to pseudonymise or anonymise the data they can’t legitimately delete to be compliant. These are time consuming processes, and organisations may need specialist systems to carry them out. As with all the elements of GDPR compliance we’ve listed above, this means the time to start planning is now.
More on GDPR
Eduserv and data
Eduserv provides a comprehensive range of cloud, digital development, data and cyber security services for the public sector and charities across the UK. We have in-depth knowledge of the way organisations need to manage and protect personal data in all these contexts and are actively helping our customers to prepare for GDPR compliance. For more information get in touch with Neil Adams at firstname.lastname@example.org or 01225 474 312.