Dude, where’s my Data?
15th March 2018
Everyone’s getting a little weary of the GDPR countdown by now. We have a little over two months to go, and amazingly some organisations have yet to define a meaningful project that will help them to (a) achieve legal compliance, and (b) respect their customers’ personal data and prove that they can be trusted to look after it. We’ve commented previously on the many “silver bullet” solutions that will magically solve all your data protection woes (they won’t), and the army of GDPR snake oil salesmen that can do it all for you (they can’t). So in this, which has been requested by several folks on our social media channels, we’re going back to basics to get some of the key activities understood … and hopefully underway!
At its core, GDPR mandates “data protection by design and default”, or in simpler words make sure that personal data is protected in your processes and systems (a) automatically, and not just in special cases, and (b) all the time. GDPR also requires (in most cases), a formal Data Protection Impact Assessment takes place to understand any risks to personal data, and highlight any remedial actions that need to be put into practice. Here’s eight key principles that we need to explore further:
- What’s the legal basis for processing the personal data? You need a valid reason to process personal data, and data subjects will expect to understand this – for example within a supporting Privacy Notice or equivalent communication. Some of the legal basis categories within GDPR are more suitable for certain types of activity than others.
(see Article 6)
- Which categories of personal data are you processing? GDPR defines a sub-set of “special categories” which need additional care (e.g. medical data, religious beliefs, biometric/genetic data etc). There’s also special considerations that you’ll need to put in place if you process the personal data of children or vulnerable adults.
(see Article 9)
- Who’s got access to the personal data – not just people but also IT systems? Access should not be a free-for-all, and should be restricted to the minimum required to achieve the data processing objective. You should also implement logging/auditing of access, to make sure that it is appropriate and not being misused.
(see Articles 25 & 30)
- What about outside or your organisation’s boundary? Very few businesses today do everything themselves, and many contract our services such as payroll administration, facilities management or perhaps use a cloud-based accountancy package. Any third-party used need to be assessed as being “demonstrably compliant” with GDPR.
(see Article 28)
- Have you implemented procedures to ensure that the data subject rights within GDPR can be delivered by your business – and within a 30-day window? GDPR provides data subjects with six rights, from subject access requests to data erasure, and the right to have personal data “ported” somewhere else to restricting its processing.
(see Articles 15-21)
- And if a data breach occurs, how will you know? GDPR brings along some robust and time-bound reporting requirements, and you’ll need to have a combination of competent and switched on employees, some form of technical monitoring controls, and a healthy dose of data minimisation in the first place to stay on top of this one. You’ll also need to understand how you will provide effective communication of the breach to affected data subjects.
(see Articles 33 & 34)
- Training, training, training. There’s lots in GDPR which your workforce need to be aware of, and they have an important role in (a) only accessing and using personal data for authorised purposes, and (b) remaining diligent and promptly reporting data breaches when they think something has gone wrong. They’ll need training to understand this.
(see Article 32)
- Finally, and one for the legal specialists, a review of existing contracts and the preparation of new templates which refine how the role of data controller and/or data processor apply to the unique business activities that you undertake. Contract reviews will be needed for employees, customers and suppliers.
(see Articles 24, 26, 28 and 29)
“Access to personal data” also includes IT systems. You’ll note that carefully controlling access to personal data is essential, but what of those hidden technical gremlins – like viruses, malware or ransomware? Back-door accounts for support and maintenance purposes? Ensuring that operating systems and applications don’t become obsolete such that security patches are no longer produced and made available for you to install? And don’t forget backup media, backups to cloud services, and cloud applications themselves. You’ll need to have a productive brain-storming session to ensure that all sources of personal data within IT systems are identified and properly recorded.
“Data Subject Rights” will require you to design and implement a set of processes which deliver responses to a range of data subject rights, available free of charge to data subjects. You’ll need to think about how these are received, how you validate the identity of the requester, and which repositories and systems you will need to access to deliver a response to the request. Here again, you’ll need to consider the timely involvement of any third parties you’ve asked to get involved with the data processing. InfoSaaS provides a GDPR documentation set, which is shortly to be augmented by templated procedures for each of these rights (contact us if of interest).
Strangely, not everyone has downloaded or has access to the GDPR text to find out more about these core components. By no means a recommendation, but we have found the mobile app from global law firm DLA Piper to be very convenient, and of course the ICO website (for UK organisations) communicates advice.
So time is running short, but there is still a window of opportunity to start getting your data protection plans in order. Please remember that GDPR is a long overdue update to our existing Data Protection Act from 1998, which now reflects our increasingly digital and on-line world, and as such is providing the right level of protection for citizen personal data. We’re all data subjects ourselves, so will be able to understand the need for this change, and the benefits to our businesses of earning citizen trust through demonstrating adherence to GDPR’s requirements.