With less than 100 days to go until the enforcement of the GDPR (General Data Protection Regulation) and the relevance of this blog post on a short time span, a certain level of panic may begin to consume those who have only just started to take this subject seriously.
Although research shows time and time again that the vast majority are in the same situation of unpreparedness, it does not change the level of risk post May 25th 2018. With so many articles to comply with and the overall journey requiring significant changes, in some cases, now might be the time to forget achieving 100% compliance in 2 months and instead focus on the quick wins which are likely to have the greatest impact and reduce risk.
1. Document your processing activities
Article 30 of the GDPR requires that both data controllers and data processors maintain a record of their processing activities. In other words, document all cases of processing; what is processed, how it is carried out, its lawfulness and whether there is interaction with third-parties. An exemption exists in this article for organisations smaller than 250 employees and where processing does not risk the rights and freedoms of data subjects.
It is my opinion that considering the value this activity this can provide in business practice clarity alone, it is recommended that processing records are created and maintained.
2. Assess the lawfulness of processing
The GDPR maintains that processing personal data is only ever considered lawful if it meets one of the following criteria:
- The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Processing is necessary for the performance of a contract.
- Processing is necessary for a legal obligation which the data controller is subject to.
- Processing is necessary to protect the vital interests of the data subject.
- Processing is necessary to carry out a task in the public interest.
- Processing is necessary for purposes of legitimate interests pursued by the data controller.
You should assess whether your current data processing activities are considered lawful under the GDPR and of course make changes where required.
[You might also like: "GDPR: Seek re-consent or burn your contacts database, really?"]
Privacy policies are documented statements of how your company or organisation complies with data protection regulations generally. They set out the common processing activities you engage in, why you engage in them, with whom you share personal data or processing responsibilities and who is responsible for data protection in your organisation as a point of contact.
[You might also like: "5 Things to Know About the EU's Upcoming ePrivacy Regulation"]
4. Create a Breach and Incident Register
If you have been told that all breaches must be reported to the supervisory authority or even the data subject themselves, you have been incorrectly informed. Reporting of breaches only needs to take place where there is a risk to the rights and freedoms of data subjects, however you are still expected to record incidents of breach internally and I would argue this is a useful exercise to highlight areas of risk and improvement, even without the GDPR.
Any instance of unlawful processing, unauthorised access, deletion, alteration, transmission or sharing of personal data is considered a breach and should be recorded in your breach and incident register. With even the most minor of accidental incidents considered a breach, it would be wise to educate your users on how to identify breaches and how to report them for addition to the register.
5. Have processes for Subject Access Requests and Other Rights
The GDPR creates a number of rights for data subjects, as well as maintains those created under the original data protection directive of 1995. In particular you would be best preparing for three as a priority:
- The right to access (subject access request)
- The right to restrict processing
- The right to object
Subject access requests allow data subjects to request information from you regarding the personal data you hold relating to that data subject and how your process it. There is a maximum time limit imposed on your response of 30 days, which creates a sense of urgency and encourages a robust and practiced workflow for handling such requests.
The rights to restrict processing and object to processing relate to a data subject questioning the lawfulness of processing. If it is based on consent then the data subject has the right to withdraw that permission giving activity. Much like subject access requests, a robust and well-rehearsed workflow will turn shrugs into success.
[You might also like: "Do you know what "The Right to Forget" in GDPR terms really means?"]
All hope is not lost
With little precious time left, all is not lost. But a focus on changes and developments which have the greatest impact and reduce the most risk will set you apart from your peers. Whilst fellow GDPR project leads will be comply with nearly 100 pages of regulation, in the time that is left (that is roughly a page per day, including weekends, at the time of writing), it is worth remembering that it is the tortoise which wins the race.