At last, here are the checklists – what you got to do to ensure you are GDPR compliant. Part 3 now explores GDPR Tactics (the details of Strategy Part 2) and the Actions (including checklists you can use) and finally, Control – what you need to check to ensure your data is safe and fully under control. Part 1 introduced GDPR Situation which is a shock for many businesses, as it could put some out of business!
TACTICS (the details of strategy)
To START MANAGING DATA MUCH MORE SERIOUSLY employ these Tactics
Appoint a Data Officer
Medium to large businesses will need a data protection officer.
Audit High-Risk Aspects Of The Business
Businesses must identify very high risks and how they would mitigate it. If your data is encrypted, then it is not ‘high risk’.
Commence Data Protection Impact Assessments (DPIAs)
will be issued in 2017 as part of the implementation package for the upcoming General Data Protection Regulation (GDPR)
Run An Attack Simulation
with senior management to ensure that all of your data processes are robust in the case of an attack or a personal data breach and are GDPR complaint.
Run an attack simulation
Document Your Risk Management
Organisations and accountable individuals must document their approach to managing risk inherent with collecting & keeping personal data that your firm, your partners and your suppliers process.
To BUILD A DATA PROTECTION CULTURE – employ these Tactics:
Ensure all your staff (from Board Level down) have regular data protection awareness training (see ‘internal marketing’ in the Action section). Training is the first line of defence. Did you train your staff and your board? Board members need to be aware of the business risks of cyber security and understand the legal significance of an accountable individual at Board level.
Data encryption translates data into another form, or code. Only people with access to a password or secret key (formally called a decryption key) can actually read it. Encrypted data is commonly referred to as ciphertext, while unencrypted data is called plaintext.
Improve Response Times When Reporting Hacks
Under GDPR you have 72 hours to report a breach of security to the ICO (compared to the old 138 day response time) . GDPR will become part of the value chain. Businesses will have to integrate GDPR into almost everything as everything becomes connected via the IoT (Internet of things).
Improve Response Times SARs
Subject Access Request to see what data is being kept about you) is free of charge and organisations must complete this within one month, except in exceptional circumstances, where multiple requests are made, a ‘reasonable’ administration fee can be charged.
Regularly Scrutinise Your Cloud And Server Suppliers
You have a responsibility to check up on your suppliers and any partners that they too are compliant with GDPR.
Induction & Data Protection
Include data protection into induction processes.
ACTIONS (how to ensure excellent execution of the new GDPR)
Internal Marketing means Motivating, Communicating and Training your team to ensure they execute GDPR with excellence and with passion.
This can come down to specifying detailed actions (checklists of things individuals have to do) .
Once all stuff fully understand why GDPR is important (find out how to motivate them), then communicate with them about the importance and ultimately train them to point where you even issue fool-proof checklists for procedures or processes. Remember, training is mandatory. So, schedule a series of motivation & communication & training events across the organisation. In marketing parlance, we call all of this (motivating staff, communicating with staff and training staff) Internal marketing. It’s often forgotten (& requires a budget) & is the hidden reason why so many plans fail.
Ensure staff and board members understand how important GDPR is. Ensure they understand the scale of fines (and prison sentences). Ensure they understand the benefit of keeping clean and secure data. Incentivise employees to spot and fix or report any errors made in data processing.
Communicate to all staff – from Board Level down to operators, the importance of GDPR. Make it part of all regular reporting so that meetings at every level have GDPR on the agenda. Create and refer to Data KPIs.
Anyone handling personal data is now legally obliged to be trained (under the GDPR). Staff must be trained so they understand the 6 basic data protection principles (article 5):
- Consent – did you get consent? Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Purpose – was the data collected for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date
- Kept in a form which permits identification of data subjects for no longer than is necessary
- Processed in a manner that ensures appropriate security of the personal data
Can you prove that you are compliant with GDPR?
Remember: The Burden of Proof Is On The DC
Under the GDPR the burden of proof is on the DC (Data Controller) to verify that it received lawful consent.
- It must be clearly distinguishable from other matters.
- Data Privacy Notice needs to be intelligible, easily accessible and in clear and plain language.
- It must be as easy to withdraw consent as it is to give it.
- If a service to be delivered is conditional on providing consent to personal data processing, then that consent isn’t deemed to be ‘freely given’ and isn’t valid.
Ardi Kolah, Henley Business School
12 Steps/Actions Preparing for GDPR (ICO )
|General Data Protection Regulations 12 Steps To Take Now
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
|2.||Information you hold
You should document was personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
|3.||Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
|5.||Subject Access Requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
|6.||Legal basis for processing personal data
You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
You should review how are you are seeking, obtaining and recording consent and whether you need to make any changes.
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
|10.||Data Protection By Design And Data Protection Impact Assessments
You should familiarise yourself now with the guidance the ICO has produced on Privacy Impact Assessments and work out how and when to implement them in your organisation.
|11.||Data Protection Officers
You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
If your organisation operates internationally, you should determine which data protection supervisory authority you come under.
|Yes/ No||10 More Actions Checklist
|1.||Any breaches of security must be reported in the EU to the ICO (Information Commissioner’s Office) within 72 hours.
|2.||Have a data breach response plan ready. Organisations must have contingency plans. Just like fire drills.
|3.||Review your vendors’ DP. Use vendors that understand and apply GDPR.
|4.||Prepare a DPIA (Data Protection Impact Assessment) Process.
|5.||Get your documents & records & processes ready for inspection (including employee consent, the right to be forgotten & not profiled).
|6.||Have a news release ready. Brief the board (including annual reporting requirements).
|8.||Carry out regular compliance audits.
|9.||Larger companies will need to appoint Data Protection Officers.
|10.||Subject Access Requests (SAR) must be honoured, for example ‘if an employee wants to get his/her my previous pay-slips’
How To Create GDPR-Compliant Consent Forms
- Request as little data as possible
- Make the terms and conditions clear
- Make it easy to withdraw consent
- Use a double opt-in mechanism‘
A double opt-in mechanism stops individuals from giving their consent by mistake. The first step involves a regular opt-in tick-box (consent form). This is followed by an automated email with a link that they need to click on to verify, or confirm, their consent.
Are you in control of your data?
Here’s 7 Data Protection Questions To Answer Before Some Banks Will Do Business With You
Data assets can become toxic if not adhering to GDPR. Gilbert Hill founder, One Trust, revealed that one bank told him that they won’t ‘do business with you unless you can tell me:
- How you collect data?
2. How you use it?
3. How you protect it?
4. How you secure it?
5. How you clean it?
6. How you give it back to users?
7. How you check it every six months?
It is recommended that you clean up your data regularly (Gilbert Hill recommends every 6 months & suggests ‘It can be less risky to bin data and start again’ (rather than keeping unclean data). All of this is simply good customer service and excellent marketing practice. GDPR ultimately protects and improves the CX (customer experience). So if you really care about your customers, you should embrace GDPR with open arms.
Another 6 Questions to check you are in control of your customers’ personal data
John Culkin, Director of Information Management, Crown Records Management highlights these 6 ‘must-have’ answers regarding customer data:
- What you have?
- Where is it?
- Where are you sending it?
- Why do you have it (what do you do with it)?
- What form is it in?
- How long do you need to keep it?
2 Crunch Questions
Can you prove that you have collected data legally and morally?
Can you prove that it is secure?
Other Regulators (beyond the ICO)
The ICO won’t be the only regulator involved. FCA, the Environment Agency, General Pharamaceutical Council, Ofcom, CMA, Care Quality Commission and many more.
So there you have – SOME of the details of GDPR. We have looked at some GDPR Tactics you must employ, followed by SOME more detailed action checklists and finally to ensure you are in control of your GDPR destiny, we looked at some of what you need to monitor and control. Part 1 introduced GDPR Situation which is a shock for many businesses and Part 2 explored Strategy. Embracing GDPR means protecting and caring for your customers’ personal data and this is a good thing. This will help to build a powerful data asset that help your organisation to fulfil its goals. The future looks bright when you embrace GDPR.
Many thanks to Ardi Kolah, Henley Business School for the inspiration.
Please note this blog post is not a comprehensive set of legal guidelines. To complete your GDPR preparation, we advise you to check your local Information Commissioner Office or your Data Protection Commissioner.