Although the new General Data Protection Regulation (GDPR) is mainly aimed at companies with more than 250 employees or high volumes of data processing, all companies will need to be compliant to a certain extent, and it is important to demonstrate that you have taken steps to address this as significant fines may apply, arising from audits, inspections or reported data breaches.
There is a wealth of information on the GDPR available, but in this article I am giving you very practical steps to allow you to take the necessary action in your organisation to be ready for May 25th, 2018. I am also giving some examples of processes I have been involved with to give you get a real life feel for the process.
1. Map the Current Flow of Personal Data.
Review and document all data processing activities and security processes in relation to:
- Personal Data – identifying information such as name, address and email address.
- Sensitive Personal Data – special categories requiring strong protection including data containing health, sex life or sexual orientation, religious beliefs, race and genetic data.
The main sources of personal data are customers, employees and suppliers. With regard to employees, it is accepted that if the personal data requested is for the fulfillment of a contract or a legitimate purpose, that you don’t need consent. Most SMEs shouldn’t need to change HR processes; however, it is good practice to review the area to ensure you are only asking for and retaining information needed for legitimate purposes and that the information you retain on employees is securely stored.
Ask the following questions:
- What data is being collected?
- How was the data obtained?
- From whom is data collected?
- Why is the data being collected?
- How is the data being processed?
- What is the legal basis for each processing operation?
- How long is the data retained?
- To where and to whom is the data being transferred?
Example: Accountancy Firm – Mapping Data for Payroll Processing
- Staff details received via email in excel files that are password protected.
- Excel files stored on Google Drive.
- Payroll details processed in the accounting system.
- File with payment details and payroll slips is generated from the accounting system.
- This file is emailed back to the client company.
- P45s and P60s are emailed to the client company as required.
This exercise shows that you now are aware of everywhere the personal data is transferred, processed and stored, and you can then take steps to assess risks and ensure GDPR compliance.
2. Assess Risks
For high-risk data, a Data Protection Impact Assessment (DPIA) should be carried out; the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. For most SMEs, this would be unlikely to be a requirement.
However, you should review the risk that all data processing activities pose for data subjects, asking questions such as:
- Where is the data being stored?
- Is the data safe?
- Who has access to the data?
- How is the data transferred?
You should ensure that any personal data on laptops or devices is secure, and that email, cloud services and external devices used for storage are encrypted, and can only be accessed by authorised personnel. You should also ensure that any paper documents with personal data, such as employment contracts, are stored securely.
Example: Business Consultancy – Securing Laptops.
To ensure all staff laptops were secure they made sure all were password protected, had up-to-date anti-virus software, had encrypted hard drives and were regularly backed up. Procedures were written for the IT department and the staff who used the laptops to ensure that these steps were followed consistently, and if they were ever audited, that evidence of these procedures being followed could be demonstrated.
3. Changes Required
Identify any required changes to how the data is received, processed, stored and transferred, and plan any actions required to achieve compliance.
It’s important to note that if your work involves the processing of data from children, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians.
Example: Online Retail Business – Changing a Web Form
They needed to change their web form that asked customers to sign up to their newsletter. They did this as follows:
- Clearly stating the purpose of requesting the personal data ‘We will send you regular updates about …’
- Reducing the information they requested to only the first name and the email address.
- Clearly stating that they would not share their details with any one else – ‘We won’t add your details to any other list or share them.’
- Stating that consent is easy to withdraw ‘You can unsubscribe at any time.’
- Adding in a link to their Data Protection Policy – ‘For more information, see our Data Protection Policy’.
4. External Providers
Identify joint controllers, processors and sub-processors, and create instructions on how data should be handled e.g. health insurers or outsourced payroll. These third parties need to be given documented instructions, covering areas including confidentiality obligations, security practices, rules around the appointment of sub-processors and the return or destruction of the personal data at the end of the relationships.
5. Policy Documents
Create a publicly available data protection policy, which covers the key areas of:
- Consent for personal data to be processed and shared.
- Access to personal data.
- Right to be forgotten.
- Right to portability.
- Right to rectification.
- Breach management.
There is a sample policy available here.
Ensure all your staff are adequately trained and understand their obligations under GDPR for personal data, including dealing with information requests, correcting inaccuracies, erasing information, detecting, reporting and investigating data breaches. It is good practice to maintain evidence of all training and keep a manual with documented procedures on data protection.
Example: Counseling Services Organisation – Staff Training & Awareness
As the staff are never onsite together at the same time, a training afternoon was organised in a local hotel. All staff and board members were invited to attend. The training covered general data security such as how to recognise phishing emails, an overview of the principles of the GDPR and an explanation of how procedures within the organisation had changed; for example, the intake assessment form had been simplified to exclude any non-relevant personal information. Staff were told that the new procedures were being written up and would be made available to them shortly. All attendees signed an attendance sheet, and any staff that were not able to attend were going to have individual training sessions.
7. Ongoing Audits
You should create a procedure that assesses the risk when anything in your business changes that means you will be requesting personal data, and that the GDPR principles are always adhered to in any new development. All new staff should be trained on procedures and all staff should be regularly reminded of GDPR obligations. An annual audit would be good practice, with some basic checks being conducted to ensure consent is being requested, data is stored securely, etc.
Georgina Kearney is a partner in Data Protection Providers Ltd. who provides support with implementing and auditing the GDPR. You can contact her at +353 86 812 7708 or you can find more details at her website dppl.ie.
Prepared and edited by Andrew Carroll, Journalism MA in DIT.